Intelligence operations using Crypto AG compromised devices

Intelligence operations using Crypto AG compromised devices
Part of Cold War and Post–Cold War intelligence operations
Date	c. 1951–2018

The Intelligence operations using Crypto AG compromised devices were a decades-long espionage effort in which the Central Intelligence Agency (CIA) and the Bundesnachrichtendienst (BND) exploited deliberately weakened encryption equipment built by the Swiss firm Crypto AG. The company's devices were sold to more than 120 governments and remained in use from the 1950s through the 2010s.^[1] Known successively as Thesaurus (until the late 1980s) and later as Rubicon to the BND and Minerva to the CIA, the operation let the United States and West Germany read the diplomatic and military traffic of a striking range of countries, taking in allies, non-aligned states, and adversaries.^[2] At its peak, Crypto AG devices accounted for at least 40 percent of the NSA's machine-derived decryption output, and for the BND they supplied roughly 90 percent of its diplomatic intelligence reporting.^[1] A leaked internal CIA history written around 2004, titled "MINERVA: A History", called the programme "the intelligence coup of the century".^[3]

The operation's full scope was publicly revealed on 11 February 2020 through a joint investigation by The Washington Post, German public broadcaster ZDF, and Swiss public broadcaster SRF, based on the leaked CIA history and a companion BND oral history compiled in 2008.^[1][4]

The story of the operation begins with the personal relationship between two men: Boris Hagelin, a Russian-born Swedish industrialist who manufactured cipher machines, and William F. Friedman, the pioneering American cryptanalyst who is widely regarded as the father of American cryptology.^[5][6]

Hagelin's company traces its origins to Aktiebolaget Cryptograph (AB Cryptograph), founded in Stockholm on 21 July 1916 (growing out of a patent consortium formed in 1915) to exploit the rotor-machine inventions of Arvid Gerhard Damm.^[7] Boris Hagelin's father, Karl Wilhelm Hagelin, was an early investor and placed his son in the firm to represent the family's stake. Hagelin took over the running of the business in the late 1920s and assumed full control after Damm's death in 1928. The patent rights passed in 1930 to Hagelin's own firm, Ingeniörsfirman Teknik, which was renamed Aktiebolaget Cryptoteknik (AB Cryptoteknik) in 1939; its activities were transferred to the Swiss-incorporated Crypto AG by 1958.^[7][8] When Germany invaded Norway in 1940, Hagelin fled from Sweden to the United States, carrying a prototype of his C-36 cipher machine. He presented the device to the United States Army, which brought it to the code-breakers at Arlington Hall. The U.S. military ultimately purchased a manufacturing licence and produced approximately 140,000 units of the device (designated the M-209) for American troops during the war.^[6]

During his wartime stay in the United States, Hagelin forged a close friendship with Friedman. The two men, both born in Russia and sharing a deep fascination with mathematics and cryptographic technology, developed a bond that would prove decisive for the next half century of intelligence history.^[5][6] In his NPR interview about the operation, Washington Post reporter Greg Miller described the Hagelin-Friedman relationship as "one of the crucial relationships not only in this operation but in all of Cold War espionage".^[6]

After the war, demand for cipher machines collapsed. Sales at Hagelin's firm halved between 1945 and 1946, and in 1947 he sold just 57 machines. Hagelin fell into depression and considered closing the company.^[8] In 1948, he relocated to Steinhausen, Switzerland, to take advantage of favourable tax conditions. In 1952, the company was formally re-incorporated in Switzerland under the name Crypto AG, ostensibly because of fears of a planned Swedish nationalisation of military technology firms. A holding company was established in Liechtenstein to conceal the true ownership structure.^[1]

The onset of the Cold War revived the encryption market. Through the mid-1950s, Crypto AG was selling between 400 and 500 machines annually; by 1963, annual sales exceeded 5,000 units, driven by demand from newly independent states, Middle Eastern governments, and South American military regimes.^[8] Its flagship product, the CX-52, was one of the most advanced commercially available cipher machines of its era. When operated correctly and with proper key settings, it was extremely difficult to crack.^[8]

Friedman, who in 1952 had become the chief cryptologist of the newly established National Security Agency, viewed Hagelin's growing commercial success with alarm. If foreign governments purchased strong, properly configured CX-52 machines, the NSA's ability to read their communications would be severely compromised.^[6] In 1951, Friedman met Hagelin at the Cosmos Club in Washington, D.C., where the foundations of what the leaked documents call a "gentleman's understanding" were laid.^[5]

The arrangement, formalised after a visit by Friedman to Crypto AG's headquarters in Zug in February 1955, had several components. Under the agreement, Hagelin would inform the NSA and its British counterpart, GCHQ, about the technical specifications of his machines and the identities of the countries purchasing them. Crypto AG would withhold its most advanced, customisable models from countries deemed adversarial by the West, selling them only older, weaker systems. In return, Hagelin received financial compensation and the tacit assurance that the U.S. would not hinder his business with friendly nations.^[5][9]

The method by which the encryption was weakened at this stage was subtle. Rather than inserting overt backdoors, which would have been detectable, the NSA produced alternative instruction manuals for Crypto AG machines. When operators in target countries followed these manuals, they would unknowingly configure their CX-52 machines with settings that dramatically reduced the cryptographic complexity, making the output tractable for NSA analysts. Countries that were NATO members and close allies of the U.S. received the genuine, secure instruction manuals; all others received the weakened versions.^[8][5] A concrete and externally documented example of this two-tier marketing strategy was the pair of pocket cipher devices the company released in 1957. The CD-55 and the visually identical CD-57 were developed in parallel between 1955 and 1957 and entered the market the same year. From the outside they were indistinguishable, but the keying mechanisms differed substantially: the CD-55 used the same simple stepping principle as the wartime C-38 / M-209, whose output the NSA had long been able to break, while the CD-57 incorporated the more advanced irregular keying of the C-52 and CX-52, which independent cryptanalysts regarded as much harder to attack.^[10][11] NATO members and NATO-friendly governments, including West Germany, were offered the CD-57; other customers, in particular Arab states, were offered only the CD-55. According to the cataloguing notes of Sotheby's and Bonhams, which auctioned military-issue specimens of both devices, the difference was never explained to potential customers.^[12][13]

Documents from Friedman's personal collection, which he donated to the George Marshall Foundation at the Virginia Military Institute in 1969, reveal extensive correspondence between the two men throughout the 1950s. Hagelin kept the NSA informed of his company's sales and marketing activities, with his son Boris Jr. ("Bo"), who directed sales in the Americas, also corresponding with Friedman.^[5] However, Hagelin increasingly chafed at the restrictions imposed by the arrangement, particularly regarding his inability to compete with the German technology giant Siemens in certain markets.^[5]

Friedman formally retired from civil service in 1955, though he continued in a special-assistant capacity for several years thereafter. Management of the relationship with Hagelin passed to other senior NSA officials, including Howard C. Barlow and Lawrence E. Shinn, by the late 1950s.^[5]

By the mid-1960s, the nature of the relationship began to change fundamentally. Encryption technology was transitioning from mechanical gears and rotors to electronic circuits and algorithms, a shift that Hagelin's engineers were ill-equipped to manage on their own.^[6] The NSA saw an opportunity: it would provide Hagelin with the technical expertise needed to enter the electronic age, and in exchange, Crypto AG would allow the NSA to design the encryption algorithms themselves, building in concealed vulnerabilities from the outset.^[6]

This represented a qualitative leap from the earlier arrangement. Under the gentleman's agreement, the machines were inherently capable of strong encryption but were deliberately misconfigured through rigged instruction manuals. Under the new arrangement, the vulnerabilities were engineered directly into the hardware and algorithms. As Greg Miller of the Washington Post explained, the NSA's pitch to Hagelin was essentially: "We'll give him the technology, the know-how to get into electronics and algorithms if he will let us design these machines and rig them so that we can read them going forward."^[6]

At the same time, uninstructed employees of the firm occasionally discovered the vulnerabilities. An NSA mathematician named Peter Jenks had deliberately manipulated the customisable settings of the CX-52 to produce shortened cryptographic cycles, making the output breakable.^[14] The arrival of Boris Hagelin Jr. as the firm's chief salesman for the Americas complicated matters: "Bo" was not informed of the secret arrangement and was aggressively expanding sales of Crypto AG products in Latin America, sometimes to countries and customers that the CIA and NSA did not wish to have even weakened versions of the equipment.^[5]

By the late 1960s, Boris Hagelin Sr. was in his late seventies, grieving the death of his wife Annie in 1966, and contemplating retirement. Friedman, long since retired and in declining health, died on 2 November 1969, severing the personal bond that had sustained the arrangement for two decades.^[2]

News that Hagelin intended to sell his company set off a competition among Western intelligence services. In 1967, Hagelin was first approached about a sale by a partnership between the French and West German intelligence services. However, Hagelin, loyal to his American partners, informed the CIA, and the Americans refused to cooperate with the French, whom they regarded as an unacceptable security risk.^[1]

On 4 June 1970, Boris Hagelin formally transferred ownership of Crypto AG to the BND for approximately 25 million Swiss francs (about US$5.75 million). Eight days later, on 12 June, the BND signed a separate agreement with the CIA to share ownership of the company on a 50/50 basis.^[2][15] The contract was signed on the German side by Horst Ehmke, then head of the Federal Chancellery and Federal Minister for Special Tasks, indicating that the operation had authorisation at the highest levels of the West German government.^[1]

The NSA, though not a formal co-owner, became a full operational partner, providing the cryptographic expertise needed to design the weakened algorithms. Two major private corporations were also brought into the arrangement: Siemens provided engineering personnel and consulting, while Motorola supplied electronic components and technical assistance.^[16] A 1975 secret workshop at Crypto AG at which a new prototype encryption device was demonstrated was attended by Nora L. Mackabee of the NSA (introduced as a "consultant") and Herb Frank of the CIA.^[16]

The CIA used a secret base in Munich as its operational headquarters for the programme, initially on a military installation and later in the attic of a building adjacent to the U.S. Consulate.^[1]

The ownership of Crypto AG was deliberately concealed behind layers of corporate secrecy. A Liechtenstein-based trust structure held the company's bearer shares, making the true owners untraceable even to most of the firm's own managers. Only a select handful of executives were aware of the intelligence agencies' involvement.^[1] Sture Nyberg, to whom Hagelin had entrusted day-to-day management, was the sole board member who knew the truth; he departed in 1976.^[1]

The Liechtenstein vehicle through which this concealment was operated was the Vaduz-based law firm Marxer and Goop (today Marxer and Partner Rechtsanwälte), the oldest and largest law firm in the principality, founded by Ludwig Marxer in 1925.^[17] According to the BND internal history, as quoted by the Washington Post, the firm administered the bearer-share structure that hid the true ownership of Crypto AG, was paid an annual retainer "less for the extensive work but more for their silence and acceptance," and operated as the legal nexus that allowed the CIA and BND to control the company without leaving identifying registration documents.^[1] When approached by reporters in 2020, the successor firm (Marxer and Partner) declined to comment.^[1]

A new board of directors, secretly controlled by the CIA and BND, oversaw the company's strategy. Each year, the two agencies split Crypto AG's profits, with the BND handling the accounting and physically delivering the CIA's share in cash in an underground parking garage, according to the German history.^[1]

The company projected an image of Swiss neutrality and precision engineering, which became one of its most powerful selling points. As the leaked CIA history noted, Crypto AG's Swiss domicile gave it a cachet of trustworthiness that no American or German firm could have replicated.^[1]

The same year the sale was completed, Boris Hagelin Jr., who had been the firm's leading salesman in the Americas and who had never been informed of the secret arrangement, died in a car accident on the Washington Beltway in November 1970, five months after the CIA-BND purchase.^[18] According to the leaked BND internal history, as cited by SRF and 20 Minuten, the documents recorded after his death that it "would no longer be necessary to exercise such caution toward the Crypto AG board with regard to the ownership situation."^[18] Boris Hagelin Sr. had the cause of the accident investigated and reportedly did not believe it was accidental.^[1] German intelligence historian Erich Schmidt-Eenboom, head of the Research Institute for Peace Policy in Bavaria, told SRF that "even the vice-president of the Bundesnachrichtendienst assumed that Bo Hagelin was not the victim of an accident, but the victim of an intelligence killing", while emphasising that no direct evidence of CIA involvement has surfaced.^[18] The Washington Post reported that the leaked CIA history, by contrast, stated that "there were no indications of foul play."^[1]

The Minerva files reference at least five suspicious deaths linked, directly or peripherally, to the operation over the decades, including NSA employee Gary C. Durrell, shot in Karachi on 8 March 1995 in an attack that also killed CIA employee Jacqueline K. Van Landingham, and Werner Graf, a German employee of Crypto AG killed by a car bomb in Saudi Arabia in September 2002.^[19][20] A former vice-president of the BND, quoted in the Minerva files, observed that "the number of deaths surrounding Crypto AG is disproportionately high", though the same documents do not establish a direct causal link to the operation.^[19]

With the secret backing of two of the world's premier intelligence agencies and the industrial support of Siemens and Motorola, Crypto AG's business boomed. Sales surged from 15 million Swiss francs in 1970 to more than 51 million Swiss francs (approximately US$19 million) by 1975. The company's payroll expanded to more than 250 employees, with offices in Abidjan, Abu Dhabi, Buenos Aires, Kuala Lumpur, Muscat, Selsdon, and Steinhausen.^[1]

Over the course of the operation, Crypto AG sold equipment to more than 120 countries. Clients included Iran, Egypt, Saudi Arabia, Pakistan, India, Libya, Iraq, the Vatican, and dozens of Latin American, African, and Asian governments.^[1][2] Neither the Soviet Union nor the People's Republic of China purchased Crypto AG products, but several of their allied or client states did.^[1]

The company maintained two tiers of products: secure versions, sold to NATO members and Switzerland, and compromised versions, sold to everyone else. However, the CIA and BND clashed repeatedly over this distinction. German intelligence did not want allied EU or NATO nations to be spied upon, while the CIA insisted on surveilling virtually every purchaser. The Americans routinely prevailed, with the result that NATO members including Spain, Greece, Turkey, Italy, Portugal, Ireland, and Belgium were also targeted.^[1] In the words of Wolbert Smidt, a former BND director, the Americans "wanted to deal with the allies just like they dealt with the countries of the Third World". Another BND official echoed the sentiment, complaining that to the Americans, "in the world of intelligence there were no friends."^[1]

In the late 1970s, several Crypto AG engineers began to discover vulnerabilities in the company's products. Mengia Caflisch, a gifted electrical engineer who had previously worked in radio-astronomy research at the University of Maryland, joined the firm and quickly began probing the cipher algorithms. Together with her colleague Jörg Spoerndli, she ran plaintext attacks against multiple Crypto AG models and found that the output was far weaker than it should have been.^[1][14] At one point, Spoerndli independently optimised the algorithm of the T-450 teleprinter encryption device, rendering it truly impenetrable, an event that provoked an internal crisis at the company before the NSA intervened to re-weaken the algorithm.^[14] Caflisch herself designed a cipher algorithm so strong that 50 unbreakable HC-740 devices were manufactured before the NSA discovered the error; those 50 units were then sold to banks to keep them away from government targets.^[14]

To contain the growing threat from overly competent engineers, the CIA and BND recruited Kjell-Ove Widman, a Swedish mathematics professor and celebrated cryptographer with close ties to Swedish intelligence and a personal affinity for the United States. After being groomed by Swedish intelligence, Widman was brought to Munich in 1979 for what was ostensibly a round of job interviews with Crypto AG and Siemens executives. He was recruited with little difficulty and served as the CIA's internal overseer of the company's cryptographic engineering until 1994.^[14][1] As the company's most authoritative cryptographic voice, Widman ensured that the compromised algorithms appeared statistically robust to casual analysis while remaining easily breakable by the NSA. His goal was to design vulnerabilities that, if ever detected, could plausibly be attributed to human error rather than deliberate sabotage.^[14]

Not all employees who became suspicious remained compliant. Peter Frutiger, a Swiss electrical engineer, physicist, and mathematician trained at the ETH Zurich, had joined Crypto AG in the 1960s and rose to become head of research and development and deputy director of the firm.^[21] According to Frutiger's later account, Boris Hagelin Sr. personally let him in on the secret that the company was selling both secure and deliberately insecure cipher devices according to customer.^[21] In the early 1970s, the U.S. intelligence services attempted to recruit him with the offer of an annual salary of US$100,000 and a single-family home with a swimming pool in a gated residential complex north of Boston; Frutiger declined.^[21][19]

In 1977, after the NSA complained that diplomatic traffic from Syria had suddenly become unreadable, Frutiger came into open conflict with Crypto AG chief executive Heinz Wagner. Frutiger had previously travelled to Damascus to address Syrian complaints about the equipment and had quietly fixed the vulnerabilities; according to the Washington Post, citing the CIA history, this prompted his dismissal.^[1] Frutiger himself, in a 2020 interview with NZZ am Sonntag, maintained that he had resigned by letter dated 28 April 1977 in protest at the direction of the company, and that the U.S. side had in fact offered him a retention bonus of 1.5 annual salaries to stay.^[21] He remained an anonymous source ("Mister X") for Swiss television and subsequent investigations for more than two decades, going public under his own name only in February 2020 after the death of his wife.^[21] Frutiger also stated that in May 2017 his home was burgled by intruders who searched for documents but stole nothing, an incident he attributed to interest in his Crypto AG papers around the time the company was being liquidated.^[19]

In a related episode that has been described both by the Cybereason Malicious Life podcast and by Intel Today, Frutiger as head of R&D had also, in or around 1974, repaired MCC-314 bulk encryption devices for both Austria and Yugoslavia after their cryptographic services discovered the deliberate weakness.^[22][23]

Throughout the 1970s and 1980s, the partnership between the CIA and BND was marked by persistent friction. The Americans regarded the operation primarily as an intelligence tool and chafed at the BND's interest in profitability. The CIA "constantly reminded the Germans that this was an intelligence operation, not a money-making enterprise."^[1] The two agencies also feuded over sales practices: Crypto AG sent an executive to Riyadh with ten Rolex watches to secure Saudi contracts, and arranged training programmes for Saudi officials in Switzerland where, according to the BND history, the participants' "favourite pastime was to visit the brothels, which the company also financed."^[1]

The most fundamental disagreement, however, remained the question of which countries should receive secure versus compromised products. Germany, acutely aware of its position within the European Communities and NATO, resisted the surveillance of allies, while the CIA's position was categorical: every government that could be tricked into buying the rigged equipment should receive it.^[1]

The operation's most serious security breach came in March 1992, when Iran arrested Crypto AG's top salesman, Hans Buehler, during a business trip to Tehran. The Iranian authorities accused him of espionage and of leaking their encryption codes to Western intelligence services.^[1][24]

Buehler, who knew nothing of the CIA-BND ownership or the vulnerabilities in his employer's machines, was detained and interrogated for nine months. While the CIA and BND argued over how to respond, Buehler languished in an Iranian prison. The CIA refused to contribute to his release, citing the U.S. policy against paying ransom for hostages. In January 1993, the BND secretly provided approximately US$1 million (some sources say 1.4 billion Iranian rials) to secure Buehler's release.^[1] Crypto AG then fired Buehler and attempted to recover the bail money from him personally.^[8]

Traumatised and now deeply suspicious, Buehler began speaking to Swiss news organisations. His revelations triggered a wave of investigative reporting. Swiss television traced Crypto AG's ownership through its Liechtenstein holding company to a trust company in Munich, and a witness appearing on camera identified the true owner as the German Federal Estates Administration. Der Spiegel published a detailed exposé in 1996 under the headline "Wer ist der befugte Vierte?" ("Who is the authorised fourth?"), and the Baltimore Sun ran a series of articles by Scott Shane and Tom Bowman that concluded the machines had been systematically rigged.^[16][1]

Despite this wave of publicity, the leaked CIA history noted that the Buehler case, codenamed "Hydra" internally, while being "the most serious security breach in the history of the program", was ultimately survivable: approximately half a dozen countries paused or cancelled their Crypto AG contracts, but the vast majority of its roughly 60 remaining active government clients continued to use the compromised equipment.^[1]

The fallout from the Buehler affair proved decisive for the German side of the partnership. In 1993, the BND sold its 50 percent stake in Crypto AG to the CIA for US$17 million. According to Bernd Schmidbauer, a former minister in the German Chancellery under Helmut Kohl, the decision was driven by the assessment that the political risks of the operation had become unacceptably high following Buehler's arrest and the ensuing media scrutiny.^[1] The reunification of Germany and the end of the Cold War had also shifted German strategic priorities and sensitivities.^[1]

However, the BND continued to exploit the knowledge it had acquired during the partnership. According to media reports, the weakness of Crypto AG algorithms continued to be exploited by German intelligence well after 1993; Italian diplomatic traffic, for example, was reportedly still being deciphered around 2001.^[1]

Although the BND's withdrawal in 1993 reduced operational risk in Bonn, the Buehler publicity continued to attract investigative reporting. On 10 December 1995, the Baltimore Sun published the first of a series of articles by Scott Shane and Tom Bowman, under the rubric "No Such Agency", presenting documentary evidence that the NSA had rigged Crypto AG machines so that U.S. eavesdroppers could "effortlessly decipher the most sensitive political and military messages of many countries."^[25] The series drew on interviews with former Crypto AG engineers and on internal company documents, and reported on the August 1975 NSA-Motorola-Crypto AG meeting attended by NSA cryptologist Nora Mackabee and CIA officer Herb Frank.^[25] Crypto AG dismissed the allegations in a two-page statement as "old hearsay" and "pure invention".^[25]

The Sun series was followed on 2 September 1996 by a long investigation in the West German news magazine Der Spiegel (issue 36/1996, pages 206-207), headlined "Wer ist der befugte Vierte? Geheimdienste unterwandern den Schutz von Verschlüsselungsgeräten" ("Who is the authorised fourth? Secret services subvert the protection of encryption devices").^[26] The article's title quoted former Crypto AG employee Ernst Polzer, who had observed sardonically that such devices were indeed designed to keep unauthorised third parties out, but that "the interesting question is who the authorised fourth is."^[26] Der Spiegel identified Nora Mackabee as an NSA cryptologist and confirmed her presence at Crypto AG meetings through the corroborating testimony of Motorola engineer Bob Newman.^[26]

Despite this body of reporting and the corroborating publications that followed (including in Swiss Radio International and on Swiss public television), neither the CIA nor the BND was forced to dissolve the operation. The leaked CIA internal history records, with apparent equanimity, that target governments largely continued to use Crypto AG equipment after the exposés, and that the press cycle subsided without producing any decisive enforcement action.^[1] Academic analyst Jason Dymydiuk has cited this remarkable resilience as one of the central puzzles of the affair, calling the 1995-1996 exposure a "near miss" that nevertheless did not end the programme.^[27]

After acquiring sole ownership in 1993, the CIA continued to operate Crypto AG for another quarter-century, though the operation entered a protracted decline. By the mid-1990s, "the days of profit were long past", and the company would have gone bankrupt without financial infusions from the United States.^[1] The encryption market was shifting from proprietary hardware to commercially available software, and competitors offering verifiably secure digital encryption began to erode Crypto AG's customer base.

Nevertheless, many governments continued to use their existing Crypto AG hardware well into the 2000s. The CIA history, which was completed in 2004, concluded: "at the turn of the century Minerva was still alive and well."^[1]

In 2017, Crypto AG's headquarters building near Zug was sold to a commercial real estate company. In 2018, the company was liquidated. Its remaining assets were split and sold to two successor entities: CyOne Security AG, formed through a management buyout, which now sells encryption systems exclusively to the Swiss government; and Crypto International AG, founded by Swedish entrepreneur Andreas Linde, who acquired the brand name, international product portfolio, and distribution network.^[1][28] The Washington Post reported that the transactions "seemed designed to provide cover for a CIA exit".^[1]

When confronted with the evidence of CIA-BND ownership, Linde, who said he had been drawn to the company by its Swedish heritage and its connection to Boris Hagelin, appeared visibly shaken. "We at Crypto International have never had any relationship with the CIA or BND," he told reporters.^[1] CyOne likewise denied any connection to intelligence services.^[1]

The exploitation of Crypto AG vulnerabilities was not limited to the CIA and BND. A parallel, lesser-known signals intelligence alliance, known as the Maximator alliance, also benefited from the operation. This alliance, established in 1976 and still active, comprises the intelligence services of five northwestern European nations: Denmark, France, Germany, Sweden, and the Netherlands.^[29]

The alliance's name derives from Maximator, a Doppelbock beer brand from Bavaria. In 1979, representatives of the emerging alliance were drinking the beer at a gathering near the BND headquarters in Pullach, a suburb of Munich, and adopted the name from their glasses.^[29]

Within the Maximator network, critical information about the inner workings and weaknesses of Crypto AG devices (and those of other manufacturers) was systematically distributed among the five participating services. This allowed each partner to independently decrypt intercepted messages from the more than 100 countries using compromised Crypto AG equipment, without needing direct access to the CIA-BND operation itself.^[29] Notably, the Maximator alliance is distinct from and parallel to the Five Eyes arrangement, and countries including Norway, Spain, and Italy were deliberately excluded from membership on grounds of insufficient cryptanalytic expertise.^[29] Swiss intelligence, which learned of the CIA-BND ownership of Crypto AG in autumn 1993, subsequently sought and obtained access to information about the weakened algorithms from the Americans, but was never a formal member of Maximator.^[3]

The ring of governments aware of, or benefiting from, the operation extended beyond the formal CIA-BND partnership and the five Maximator states. According to the leaked CIA history as reported by the Washington Post, "at least four countries", Israel, Sweden, Switzerland and the United Kingdom, "were aware of the operation or were provided intelligence from it by the United States or West Germany."^[1] The British relationship dated back to the earliest stage of the arrangement: Boris Hagelin's correspondence with William Friedman shows that Hagelin had agreed to keep both the NSA and the GCHQ informed of his machines' technical specifications and customer base from at least 1955.^[5] Switzerland's awareness from 1993 is documented in the GPDel parliamentary report.^[3] Less is known publicly about the specific channels through which Israel and Sweden received intelligence product, although the leaked CIA history described the broader benefit to "two (and possibly as many as five or six) foreign countries."^[30]

On 13 February 2020, two days after the publication of the Washington Post/ZDF/SRF investigation, the Swiss Parliament's Business Audit Delegation (GPDel), the parliamentary oversight body for national security, launched a formal investigation under its president, Alfred Heer.^[24] The GPDel's 64-page report, published on 10 November 2020, concluded that the Swiss Strategic Intelligence Service (SND) had known since autumn 1993 that Crypto AG was owned by foreign intelligence agencies and was manufacturing devices with deliberately weakened encryption. The SND had used this knowledge to gather technical information about Crypto AG's encryption methods and customer lists, and had sought to break the weakened encryption independently.^[3]

The report found, however, that the SND had failed to inform the responsible federal minister about its knowledge. Documents confirming Swiss awareness of the operation, initially believed to have been destroyed, were discovered in a K-Anlage, a Cold War-era atomic bunker used for storing classified state documents.^[24][3] The report also criticised the fact that officials in the Swiss defence ministry had destroyed files related to Crypto AG between 2011 and 2014.^[24]

The Swiss State Secretariat for Economic Affairs (SECO), which had authorised Crypto AG's exports for decades without knowing the equipment was compromised, filed a criminal complaint against "persons unknown". SECO officials argued that they had been deceived into authorising exports in violation of Swiss federal law governing the regulation of sensitive technology exports.^[31] The Swiss government suspended Crypto International's export licence, a move that the GPDel report later criticised as legally unfounded.^[24] The Office of the Attorney General dropped that export-control investigation on 21 December 2020, finding that although the devices had indeed been tampered with there was no evidence of a "deliberate and unjustified violation of the Export Control Act", and ordered the return of around 400 confiscated devices.^[32]

The affair caused diplomatic embarrassment for Switzerland, a country whose international reputation is built on its tradition of neutrality. Green Party politician Balthasar Glättli condemned what he called "banana republic behaviour" that was "unworthy of a constitutional state".^[24] A separate criminal investigation, conducted by special prosecutor Peter Marti into the leaking of the confidential draft GPDel report to the media, was concluded in March 2023 without charges; Marti found that the initial suspicion against the accused, who included the secretary general of the foreign ministry and a journalist, could not be substantiated despite extensive investigation.^[33]

The Swiss government's decision to impose export controls on Crypto International in the wake of the revelations also caused diplomatic tensions with Sweden. The Swedish government reportedly cancelled plans to celebrate 100 years of diplomatic relations with Switzerland in protest.^[4]

Other affected states also reacted. In Belgium, a primary NATO and European Economic Community diplomatic target whose military intelligence service (SGRS) and foreign ministry had been Crypto AG customers, the Standing Intelligence Agencies Review Committee (Comité I) announced on 14 February 2020 that it was opening an investigation into whether Belgian administrations and intelligence services had used the compromised equipment.^[23]

The Suez Crisis of 1956 represents the earliest documented instance in which intelligence derived from compromised Crypto AG equipment played a role in a major international conflict. By the mid-1950s, Egypt under President Gamal Abdel Nasser had become one of Crypto AG's customers in the Middle East, purchasing Hagelin cipher machines for its military and diplomatic communications.^[34] At this time, the gentleman's agreement between Boris Hagelin and William F. Friedman was in full effect: countries not on the approved list of Western allies received either older, less secure models of the CX-52 or machines configured according to weakened instruction manuals produced by the NSA.^[8][5]

Declassified correspondence in the Friedman collection at the National Security Archive reveals that in August 1956, the very month the Suez Crisis was intensifying, Friedman wrote a memorandum to General Ralph Julian Canine, the first Director of the NSA, relaying concerns raised by Hagelin about the role of Siemens in developing and distributing advanced cipher technology to Egypt. The memorandum noted that Siemens' potential sales to Egypt "would displease NATO" and that Hagelin feared Crypto AG's inability to compete with Siemens in certain markets under the restrictions of the gentleman's agreement.^[35] This document establishes that both the NSA and Hagelin were acutely aware of Egypt's encryption procurement, and that the NSA's access to Egyptian cipher traffic was a live operational concern at the time of the crisis.

The operational payoff was significant. When Nasser's government communicated with its allies, including its Iraqi counterparts in the context of the Iraqi Free Officers who had drawn inspiration from Egypt's own 1952 revolution, those encrypted cables were transmitted using compromised Hagelin machines. Britain's GCHQ, operating in partnership with the NSA under the terms of the UKUSA Agreement, was monitoring Nasser's moves in real time.^[34]

The geopolitical context gave this intelligence special weight. On 26 July 1956, Nasser had nationalised the Suez Canal, triggering a crisis that ultimately drew Britain, France, and Israel into a secret military pact (the Protocol of Sèvres) to attack Egypt. For Western intelligence services, the ability to read Egyptian diplomatic and military traffic provided critical insight into Nasser's intentions, his negotiating positions, and his military readiness. In the months preceding the tripartite aggression of October 1956, the NSA and GCHQ were able to track Egyptian communications and assess whether Nasser's public defiance reflected genuine military preparedness or was primarily political posturing.^[36][37]

The Suez Crisis thus served as an early proof of concept for the Hagelin-Friedman arrangement. Though the gentleman's agreement was still in its infancy and the compromise of Crypto AG machines was achieved through manipulated instruction manuals rather than embedded algorithmic backdoors, the ability to decrypt Egyptian government communications demonstrated the strategic value of controlling the global encryption supply chain. The success reinforced the NSA's commitment to the partnership with Hagelin and, according to the leaked CIA internal history, provided a template for the far more ambitious operations that would follow after the CIA and BND acquired Crypto AG outright in 1970.^[1]

The Six-Day War of June 1967 and its diplomatic aftermath coincided with a critical inflection point in the Crypto AG operation: the transition from mechanical to electronic cipher machines and the deepening of NSA involvement in the design of the company's products. Egypt, Jordan, Syria, and several other Arab states were Crypto AG customers at the time of the conflict, and their military and diplomatic communications were encrypted using Hagelin devices whose vulnerabilities were known to Western intelligence.^[38][1]

By 1967, the arrangement between the CIA and Crypto AG had evolved well beyond the original gentleman's agreement. In 1960, the CIA had formalised its relationship with Hagelin through a "licensing agreement" worth US$855,000 and an annual retainer of US$70,000, plus US$10,000 in "marketing" subsidies to ensure that Crypto AG, rather than competitors, secured contracts with governments worldwide.^[1] That same year, 1967, Crypto AG released the H-460, its first all-electronic cipher machine, whose internal workings had been designed by the NSA.^[1] The H-460 marked the transition from the era of manipulated instruction manuals to that of algorithmically embedded vulnerabilities, a qualitative leap that made the decryption of intercepted traffic significantly faster and more reliable.

In the lead-up to the war, the CIA had developed an exceptionally detailed picture of Arab military capabilities. On 23 May 1967, the day after Nasser closed the Straits of Tiran to Israeli shipping, President Lyndon B. Johnson asked CIA Director Richard Helms for an immediate assessment of the likely outcome of an Arab-Israeli conflict. The CIA's Office of Current Intelligence (OCI) delivered its appraisal within hours, concluding that Israel could "successfully defend itself against any combination of Arab enemies if attacked simultaneously on all sides and initiate a major offensive as well."^[39] Helms assured the president that Israel was not in danger and would prevail in any military confrontation, a judgment that proved strikingly accurate.^[39]

When Israel then provided its own intelligence assessment to Washington, painting a far more alarming picture, Helms ordered his analysts to cross-check the Israeli claims. Within five hours, the CIA concluded that the Israeli analysis "was not a serious intelligence estimate but a political gambit designed to influence the American administration" and that its calculations of Arab military strength were inaccurate.^[39] The agency further judged that the Soviet Union would not intervene militarily. The CIA and the Defense Intelligence Agency produced a joint paper at the end of May predicting that Israel would win any war and take the Sinai "in several days."^[39]

While no single declassified source has confirmed the specific intelligence streams that fed this assessment, the operational context is clear: Egypt, Jordan, and Syria were all using Crypto AG equipment whose encryption was designed to be readable by the NSA, and the gentleman's agreement (and, by 1967, the formalised CIA licensing arrangement) had been in place for over a decade.^[35][1] The Arab states' military communications, diplomatic cables, and back-channel negotiations were all transmitted using these compromised systems. Historian Jason Dymydiuk of the University of Warwick, in his analysis of Operation Rubicon published in Intelligence and National Security, noted that the CIA and BND documents uncovered by journalists illustrate how the operation "allowed for policy makers to have access to the highly sensitive communications data of their enemies, for decades", with the period surrounding the 1967 war falling squarely within the operation's most productive phase.^[36]

The war itself lasted from 5 to 10 June 1967 and ended in an overwhelming Israeli victory. Israel captured the Sinai Peninsula and Gaza Strip from Egypt, the West Bank and East Jerusalem from Jordan, and the Golan Heights from Syria.^[39] The post-war intelligence assessment produced by the U.S. intelligence community confirmed the scale of the Arab defeat: half of Egypt's 1,000 tanks were destroyed or captured, two-thirds of its air force was annihilated, the Royal Jordanian Air Force was totally destroyed, and Arab casualties outnumbered Israeli ones by a ratio of ten to one.^[39]

The aftermath of the war proved as intelligence-rich as the conflict itself. In the years between 1967 and 1970, Egyptian, Jordanian, and Syrian diplomatic traffic intensified as the parties negotiated over the implementation of United Nations Security Council Resolution 242, the disposition of occupied territories, and the War of Attrition along the Suez Canal.^[40] Throughout this period, the Arab states continued to rely on their Crypto AG equipment, unaware that their most sensitive diplomatic communications were being read in Washington. As the CIA's own historian later wrote, the quality of the intelligence derived from the operation during this era "enhanced its reputation" and contributed to the decision to formalise the relationship by purchasing Crypto AG outright in June 1970.^[1]

The Six-Day War and its diplomatic fallout thus served as a decisive proving ground for the expanded Crypto AG operation. The intelligence it yielded contributed to the CIA's ability to provide the Johnson administration with assessments of remarkable accuracy, and the continuing dependence of Arab governments on compromised Hagelin machines ensured that the flow of intelligence would persist through the negotiations, the War of Attrition, and ultimately the run-up to the Yom Kippur War of 1973.^[36][37]

The Camp David Accords of September 1978, widely regarded as one of the landmark diplomatic achievements of the 20th century, were negotiated with the aid of signals intelligence derived from compromised Crypto AG equipment used by Egypt.^[1]

On 9 November 1977, Egyptian President Anwar Sadat had stunned the world by announcing his intention to visit Jerusalem and speak before the Knesset, launching the first direct peace process between Israel and an Arab state.^[41] Over the following months, Egyptian-Israeli negotiations produced agreement on procedural matters but stalled on the substantive questions: the future of the Sinai Peninsula, the status of the West Bank and Gaza, and the broader Palestinian question.^[41] Impatient with the slow progress, President Jimmy Carter resolved to convene a summit at the presidential retreat of Camp David in Maryland. For thirteen days, from 5 to 17 September 1978, delegations led by Carter, Sadat, and Israeli Prime Minister Menachem Begin met in seclusion, isolated from the press and the outside world.^[41]

In preparation for the summit, Carter had visited CIA headquarters in August 1978 for a series of intensive briefings. He requested to be "steeped in the personalities of Begin and Sadat", asking the agency: "What were their strengths and weaknesses? What were their attitudes toward me? What did they say about the United States and each other privately?"^[42] The CIA provided detailed psychological profiles: Sadat, then 59, was described as "a former revolutionary and ardent nationalist" who preferred to negotiate in broad strokes, while Begin was characterised as a detail-obsessed legalist. Carter's National Security Adviser, Zbigniew Brzezinski, counselled the president that "Sadat cannot afford a failure and he knows it" and warned that Begin's "legalisms" and Sadat's "imprecision" could derail the process.^[42]

What Carter's briefers did not publicly disclose was the source of some of their most granular insight. According to the Washington Post investigation, "the NSA was secretly monitoring the communications of Egyptian President Anwar Sadat with Cairo" throughout the Camp David negotiations.^[1] Egypt had purchased Crypto AG equipment for its diplomatic communications, and these devices were among those whose encryption had been designed by the NSA to be breakable.^[43] As a result, whenever Sadat cabled Cairo for updated instructions, to consult with his foreign minister, or to seek approval for concessions, the American delegation had access to the content of those communications in near-real time.^[44]

The negotiations at Camp David were extraordinarily tense. Carter shuttled between the Egyptian and Israeli cabins, speaking to each leader separately after early joint sessions proved unproductive. "When the Egyptians were sleeping, I was talking to the Israelis," Carter later recalled. "When the Israelis were sleeping, I was talking to the Egyptians."^[42] Multiple times, both Sadat and Begin threatened to leave; Carter personally intervened to keep them at the table.^[41] The ability to read Sadat's back-channel communications gave the American mediators an asymmetric advantage: they could anticipate the Egyptian negotiating position, gauge where Sadat was willing to make concessions, and tailor their proposals accordingly.^[44]

On 17 September 1978, the three leaders signed two framework agreements at the White House: "A Framework for Peace in the Middle East" and "A Framework for the Conclusion of a Peace Treaty between Egypt and Israel."^[41] The second framework led directly to the Egypt-Israel peace treaty of 26 March 1979, which ended three decades of open hostilities between the two countries. Sadat and Begin were jointly awarded the Nobel Peace Prize in 1978.^[42]

The Camp David intelligence operation had broader consequences beyond the peace talks themselves. The NSA's close monitoring of Egyptian and Libyan communications during the same period also yielded an unexpected domestic scandal. Admiral Bobby Ray Inman, who served as NSA director during this era, told the Washington Post that the operation placed him in "one of the trickiest binds he'd encountered in government service."^[1] The NSA intercepted Libyan diplomatic communications indicating that President Carter's brother, Billy Carter, was advancing Libya's interests in Washington and was on the payroll of Libyan leader Muammar Gaddafi.^[1] Inman referred the matter to the Department of Justice, which launched an FBI investigation.^[1][45] Billy Carter, who had received US$220,000 from the Libyan government, initially denied having taken any payments but ultimately registered as a foreign agent in July 1980, creating a political embarrassment for the Carter White House during a difficult re-election campaign.^[45][46]

The Iran hostage crisis, which lasted 444 days and consumed the final fourteen months of the Carter presidency, represented one of the most operationally significant applications of Crypto AG-derived intelligence. Both Iran and Algeria, the two governments whose communications were most critical to the crisis, used Crypto AG equipment, providing the NSA with extraordinary visibility into the diplomatic exchanges surrounding the hostage negotiations.^[1]

Iran had been one of Crypto AG's most important and lucrative clients for decades. The Shah's government had purchased Crypto AG devices for both military and diplomatic communications, and after the Iranian Revolution of February 1979, the new theocratic regime under Ayatollah Khomeini inherited and continued to use the same compromised equipment.^[47] As one CIA source told the Washington Post, Iran was "the most lucrative target of the entire bunch", with U.S. intelligence officials often reading stacks of Iranian secret messages just hours after they were sent.^[47]

On 4 November 1979, a group of revolutionary students calling themselves the Muslim Student Followers of the Imam's Line stormed the U.S. Embassy in Tehran, seizing 66 American diplomats and citizens. Fifty-two of them would be held captive for 444 days, until 20 January 1981.^[48] The seizure was motivated by a confluence of factors: fury at the Carter administration's decision to admit the exiled Shah to the United States for medical treatment in October 1979, deep-seated resentment over the CIA-orchestrated 1953 coup that had overthrown Prime Minister Mohammad Mosaddegh, and a desire by radical Islamist elements to undermine the moderate provisional government of Mehdi Bazargan.^[49]

With direct diplomatic channels severed, the Carter administration turned to Algeria as a back-channel intermediary. The Algerian government agreed to relay messages between Washington and Tehran. Crucially, both Iran and Algeria used Crypto AG devices for their diplomatic communications, meaning that the NSA could intercept and decrypt exchanges in both directions.^[1]

Admiral Bobby Ray Inman, who served as Director of the NSA from 1977 to 1981 and is one of the few former officials to speak openly about the Crypto AG operation, provided the Washington Post with a direct account of the intelligence's value. Inman said he "routinely got calls from President Jimmy Carter asking how the Ayatollah Khomeini regime was reacting to the latest messages."^[1] The NSA director was able to provide near-immediate answers: "We were able to respond to his questions about 85 percent of the time," Inman told the Post. "That was because the Iranians and Algerians were using Crypto devices."^[1]

This extraordinary access gave the Carter administration real-time insight into the internal deliberations of the Khomeini regime during the crisis. As Inman described it to NPR, the operation was "a very valuable source of communications on significantly large parts of the world important to US policy-makers."^[6] The NSA could track how the Iranian leadership was interpreting American diplomatic overtures, which factions within the revolutionary government were amenable to negotiation, and what conditions Tehran might accept for the hostages' release.^[1]

Despite this intelligence advantage, the hostage crisis proved intractable. A military rescue attempt, Operation Eagle Claw, launched on 24 April 1980, ended in disaster at the staging area known as Desert One in the Dasht-e Kavir salt desert, where a helicopter collision killed eight American servicemen.^[48] The intelligence from Crypto AG intercepts could reveal Iranian intentions and reactions but could not resolve the fundamental political impasse: the hostage-takers, backed by Khomeini, refused to release the Americans as long as the Shah remained alive and beyond the reach of Iranian justice.^[49]

Negotiations intensified following the Shah's death in exile in Cairo on 27 July 1980 and the outbreak of the Iran-Iraq War in September 1980, which shifted Iran's strategic calculus. Throughout the autumn and winter of 1980-1981, the Algerian government continued to serve as intermediary, shuttling between the two capitals.^[48] The NSA's ability to read both Iranian and Algerian traffic in parallel meant that American negotiators had continuous access to both sides of the intermediary channel, a capability of immense value in the final, high-pressure weeks of negotiation.^[1]

The crisis concluded with the signing of the Algiers Accords on 19 January 1981. The 52 hostages were released on 20 January 1981, minutes after Ronald Reagan was sworn in as Carter's successor, ending what the National Archives has described as "a major international crisis" that had "dominated the last fourteen months of the Carter presidency."^[48]

The intelligence yield from Iran did not end with the hostage crisis. Iran remained a Crypto AG customer throughout the 1980s, and its communications were continuously monitored during the Iran-Iraq War (1980-1988). In the single year of 1988, more than 19,000 intercepted Iranian messages were decrypted and used by the CIA in its analyses for policy-makers, "covering everything from hostage issues to the Iranian conflicts with other Persian Gulf states."^[47][37] The Minerva files noted that this volume represented between 80 and 90 percent of Iran's total encrypted diplomatic and military traffic.^[37]

Iranian foreign minister Mohammad Javad Zarif, when asked about the revelations during a visit to Germany in February 2020, indicated that Iran had not independently discovered that its Crypto AG equipment was compromised. He stated that Iran's dealings with the company had ended approximately 20 years earlier, not because of any suspicion of espionage, but because U.S. sanctions had forced Crypto AG to cease its business with Iran.^[47]

Chile was among the Latin American nations that purchased Crypto AG equipment for its diplomatic and military communications.^[2] Declassified records published by the National Security Archive at George Washington University on 11 February 2020 identified Chile, alongside Argentina, Brazil, Uruguay, Mexico, Peru, Colombia, Venezuela, and Nicaragua, as Latin American customers of the company.^[50] The NSA Archive noted that the use of these compromised devices "provided the CIA and the National Security Agency with the ability to decrypt thousands of messages, potentially covering a range of dramatic historical episodes, among them: the 1973 military coup in Chile."^[50]

The CIA's involvement in the destabilisation of the government of President Salvador Allende is extensively documented through other declassified records. A cable from CIA operative Jack Devine, dated 10 September 1973, confirmed to senior U.S. officials that the coup would take place the following day.^[51] A Defense Intelligence Agency summary classified "Top Secret Umbra", also dated 8 September 1973, provided detailed information on the agreement among the Chilean Army, Navy, and Air Force to move against Allende on 10 September (the coup was ultimately launched on 11 September).^[51] While these specific intelligence products came through human and other signals intelligence channels, the compromised Crypto AG equipment used by the Chilean military and diplomatic services provided an additional, continuous layer of insight into the planning and execution of the coup and the political developments that followed.^[50]

The role of Crypto AG in the Chilean context raises what the National Security Archive has called one of the most significant questions arising from the Minerva revelations: the extent of U.S. knowledge of the atrocities committed by the Pinochet regime in the months and years following the coup.^[50] A CIA intelligence report dated 25 October 1973 noted that General Arellano Stark, widely considered Pinochet's right-hand man, had ordered the execution of 21 political prisoners, with another 14 disappearances also attributed to his orders.^[51] The Crypto AG intercepts would have provided the U.S. intelligence community with a direct window into the military junta's internal communications during this period of systematic repression.

The most consequential use of Crypto AG equipment in Latin America involved Operation Condor, the multinational campaign of political repression and state terrorism coordinated by the military dictatorships of the Southern Cone.^[52]

At the inaugural meeting of Operation Condor, hosted by the Pinochet regime in Santiago in November 1975, military officials from five dictatorships (Chile, Argentina, Uruguay, Paraguay, and Bolivia, with Brazil joining later) signed a founding accord. The agreement stated that member nations would employ a "Cryptology System that will be available to member countries within the next 30 days, with the understanding that it may be vulnerable; it will be replaced in the future with cryptographic machines to be selected by common agreement."^[50] After the second Condor meeting in June 1976, the CIA reported that "Brazil agreed to provide gear for 'Condortel', the group's communications network."^[50]

That "gear", the declassified documents reveal, came from Crypto AG. A secret CIA cable dated 1 February 1977, titled "Communications System Employed by the Condor Organization", described the initial equipment: "The cipher system employed by Condor is a manual machine system of Swiss origin given to all Condor countries by the Brazilians and bearing the designation CX52." The CIA described the encryption machine as "similar in appearance to an old cash register which has numbers, slide handles, and a manually operated dial on the side which is turned after each entry."^[50]

By the end of 1977, the Condortel network was upgraded with newer, more sophisticated encryption devices. According to a recently declassified secret Defense Intelligence Agency (DIA) intelligence appraisal dated 11 August 1978, "in late 1977, Argentina provided Hagelin Crypto H-4605 equipment to Condortel to enhance the security of its teletype nets."^[50] The DIA report added that "communications for operations in Latin America are to be provided by Condortel facilities." When Ecuador joined the Condor network in 1978, the CIA reported that "an Argentine military officer, chief of the CONDOR communications system (CONDORTEL), is supervising the installation of a telecommunications system in the Ecuadorean Ministry of National Defense."^[50]

The Condor machines were themselves compromised. The CX-52 had been specifically designed to be readable by the NSA under the terms of the gentleman's agreement, and the H-4605 was a variant of the Crypto H-460, the all-electronic machine "whose inner workings were designed by the NSA," according to the Washington Post.^[50][1] Professor Vitelio Brustolin of Fluminense Federal University, writing in the Cambridge Review of International Affairs, documented that Brazil had imported 80 CX-52 encryption machines and seven B-621-b electric keyboard devices in a shipment dated 3 February 1971, and that Hagelin had "managed to persuade Brazil, who had purchased CX-52/RT machines, to swap them for the exploitable (readable) CX-52-M-27."^[53] This means that the entire Condortel communications network, from the original Brazilian-supplied CX-52 machines to the Argentine-supplied H-4605 upgrades, ran on equipment that the CIA and NSA could read without difficulty.^[50]

Operation Condor's most infamous act was the assassination of Orlando Letelier, a former Chilean diplomat and prominent critic of the Pinochet regime, who was killed by a car bomb on Embassy Row, Washington, D.C., on 21 September 1976. His American colleague, Ronni Moffitt, was also killed in the blast.^[50] The National Security Archive explicitly listed the Letelier-Moffitt assassination as one of the "dramatic historical episodes" covered by Crypto AG-derived intelligence.^[50] The assassination had been ordered by the Chilean intelligence service, DINA, and carried out by its agents in coordination with anti-Castro Cuban exiles.^[51]

The revelation that the CIA could read the Condor nations' encrypted communications before, during, and after the Letelier assassination raised what the National Security Archive called "profound questions" about the extent of U.S. prior knowledge. DINA chief Manuel Contreras was retained as a paid CIA contact until 1977, even after his involvement in the Letelier-Moffitt assassination was being uncovered.^[50]

The Washington Post reported that internal documents showed CIA officials were "alarmed" about human rights abuses by the Latin American military juntas, but that the agency was "largely focused on shielding itself from possible adverse political ramifications" should Condor's activities become public.^[52] A 1976 memo to the deputy director of the CIA referred to instructions sent to U.S. ambassadors in the region to "express the serious concern of the U.S. government to the alleged assassination plans envisioned within 'Operation Condor.'"^[52] But the same memo indicated that U.S. officials were more concerned about killings beyond the Condor countries' own borders than the mounting death toll within South America itself.^[52]

Argentina, meanwhile, was aware that some of its encryption equipment might be vulnerable, but was primarily worried about being spied on by its neighbours rather than by the United States. The Argentines "accepted" a modification to their equipment that they were led to believe would make their communications secure from eavesdropping, according to the CIA history. But they did so "on the promise" that Crypto officials would "not tip off" other Latin American countries that were also Crypto customers. Buenos Aires wanted its neighbours to remain ignorant of the vulnerability so that Argentina could spy on them.^[52] As the CIA history dryly observed: "The grand competition between East and West was of less concern to them than intramural contests in their own backyards."^[52]

Carlos Osorio, a researcher at the National Security Archive, described the Crypto AG revelations as reinforcing "the perception among Latin Americans" that the United States had been intimately aware of the atrocities committed during Operation Condor and had chosen not to intervene.^[52] The operation accounted for the political extermination of more than 10,000 people in Argentina and more than 3,000 in Chile, with additional hundreds killed in Brazil, Paraguay, Uruguay, and Bolivia.^[50] Victims included two former Uruguayan legislators, a former Bolivian president (Juan José Torres), a former Chilean army commander (Carlos Prats) and his wife, and the former Chilean interior minister Bernardo Leighton.^[50]

Through the intercepted communications of the Condor nations, the German government under Helmut Schmidt was also aware of the large-scale human rights abuses taking place in Argentina. Despite this knowledge, the West German national football team participated in the 1978 FIFA World Cup, which was hosted in Argentina and used by the military junta as a propaganda tool. An obvious public use of the intercepted intelligence would have risked exposing the entire Crypto AG operation.^[29]

Argentina's armed forces were long-standing customers of Crypto AG and relied on the company's equipment for both diplomatic and military communications throughout the military dictatorship (1976-1983) and beyond.^[50][1] The machines in use by the Argentine military at the time of the Falklands War included the HC-550 and HC-570 cipher devices, both of which contained algorithms that had been deliberately weakened by the BND and the NSA.^[54] Argentina also used the CAG 500, a newer model that the CIA's internal cryptographer Kjell-Ove Widman would later describe to Argentine officials as "unbreakable", despite the fact that it, too, was designed to be readable by Western intelligence.^[1]

On 2 April 1982, the Argentine military invaded the Falkland Islands, a British Overseas Territory in the South Atlantic. The United Kingdom assembled a naval task force that sailed 8,000 miles to retake the islands. Throughout the 74-day conflict, signals intelligence played a critical role in the British campaign.

According to the leaked CIA internal history, "in 1982, the Reagan administration took advantage of Argentina's reliance on Crypto equipment, funnelling intelligence to Britain during the two countries' brief war over the Falkland Islands."^[1] The Washington Post noted that the CIA history "doesn't provide any detail on what kind of information was passed to London."^[55] However, the operational implications were substantial: Argentine military and diplomatic traffic encrypted on compromised Crypto AG machines was being intercepted, decoded, and shared with the United Kingdom through intelligence-sharing channels between the NSA and GCHQ.^[56]

The intelligence pipeline was not limited to the CIA-GCHQ channel. Professor Bart Jacobs of Radboud University Nijmegen, in his landmark 2020 paper on the Maximator alliance, revealed that the Dutch signals intelligence agency (TIVC) had independently gained access to Argentine encrypted communications well before the war, using its knowledge of Crypto AG's weaknesses acquired through the Maximator network.^[54][29]

When Argentina invaded the Falklands, GCHQ found itself initially unprepared: it had not previously focused significant analytical resources on Argentina.^[54] The Dutch intelligence service, which had been routinely reading Argentine traffic as part of its broader exploitation of Crypto AG vulnerabilities, shared the critical technical details with GCHQ, allowing the British to rapidly establish their own decryption capability against Argentine military communications.^[54] The Register described this intelligence transfer as one of the most operationally significant contributions of the Maximator alliance, enabling GCHQ to begin reading Argentine communications in the crucial early days of the conflict when the British task force was still en route.^[54]

The ability to decrypt Argentine naval communications proved particularly consequential. GCHQ was able to track the movements of Argentine submarines operating in the theatre of operations, including the ARA San Luis, and to identify the areas in which they operated. British nuclear submarines and frigates were dispatched to intercept on the basis of this intelligence.^[57] Communications may also have been intercepted through listening stations on Ascension Island, in New Zealand, and in Chile (whose intelligence services cooperated with Britain during the conflict), as well as by a U.S. Vortex communications interception satellite launched in 1981.^[57]

The intelligence contributions from Chile's own Pinochet regime are widely credited with directly contributing to the sinking of the ARA General Belgrano on 2 May 1982. Lord Cecil Parkinson, a member of Prime Minister Margaret Thatcher's War Cabinet, later revealed that the decision to torpedo the cruiser was taken after Britain received secret intercepts from Chilean intelligence services revealing orders from the Argentine junta to the ship's captain, Héctor Bonzo, to launch a massive attack on the British task force.^[56] The attack by HMS Conqueror remains the only instance in which a nuclear submarine has sunk an enemy warship in combat.^[56]

Argentina's suspicions about the integrity of its Crypto AG equipment grew during and after the war. Argentine military officials became convinced that their encrypted messages had been compromised and that this had contributed to British battlefield successes.^[1]

To contain the crisis, the CIA dispatched its most trusted asset within Crypto AG: Kjell-Ove Widman. The Swedish mathematician and CIA agent was sent to Buenos Aires to personally reassure the Argentine military.^[1] Widman told the Argentines that the NSA had probably cracked an outdated speech-scrambling device that Argentina was using, but that the main encryption product they had purchased from Crypto, the CAG 500, remained "unbreakable."^[1]

According to the leaked CIA internal history, "the bluff worked."^[1] The Argentines, despite their misgivings, accepted Widman's explanation. The CIA history recorded: "The Argentines swallowed hard, but kept buying CAG equipment."^[1] Argentina continued to purchase Crypto AG products for years afterward, unaware that the man who had reassured them of the equipment's integrity was himself a recruited intelligence asset of the very agency that had been reading their communications and feeding them to their enemy.^[58]

The Falklands War ended on 14 June 1982 with the Argentine surrender at Stanley. British casualties totalled 255 killed and 775 wounded, while Argentine losses amounted to 649 killed and 1,657 wounded.^[56] While it is impossible to quantify precisely how many British lives were saved by the intelligence derived from compromised Crypto AG equipment, the ability to read Argentine military communications, and to track submarine movements in particular, is widely regarded by military historians as having provided a significant tactical advantage throughout the campaign.^[54][56]

The Falklands War episode also illustrates a recurring pattern in the Crypto AG operation: the tension between intelligence exploitation and the risk of exposure. Argentina's post-war suspicions brought the operation closer to discovery than almost any previous incident, and the successful "bluff" by Widman demonstrated both the audacity of the CIA's management of the programme and the remarkable credulity of its targets.^[1]

The bombing of the La Belle discotheque in West Berlin on 5 April 1986 and its aftermath represent perhaps the most perilous moment in the history of the Crypto AG operation, when a U.S. president's public statements came within inches of exposing the programme's most closely guarded secret.

Libya under Colonel Muammar Gaddafi was a significant Crypto AG client. By 1981, Libya ranked sixth on the company's customer list, behind Saudi Arabia, Iran, Italy, Indonesia, and Iraq.^[59] Libyan diplomatic and military communications, including traffic between Tripoli and its embassies worldwide, were encrypted using Crypto AG equipment whose deliberately weakened algorithms could be exploited by the NSA and the BND.^[60]

Dymydiuk describes Libya as an important and remarkably consistent customer for Crypto AG, and as a major intelligence target whose compromised communications formed a significant part of the Rubicon take.^[60]

On 5 April 1986, at 1:45 a.m. CET, a bomb packed with nails and Semtex plastic explosive detonated beneath a table near the disc jockey's booth inside the La Belle discotheque in the Friedenau neighbourhood of West Berlin's Schöneberg district.^[61] The venue was popular with American servicemen stationed in West Berlin. The blast instantly killed Sergeant Kenneth T. Ford, a 21-year-old U.S. soldier, and Nermin Hannay, a Turkish woman. A second U.S. soldier, Sergeant James E. Goins, died from his injuries about two months later. A total of 229 others were injured, of whom 79 were American military personnel.^[61] The four-pound device caused catastrophic injuries; many victims lost limbs from the shrapnel of flying nails.^[62]

The bombing came at a time of intense confrontation between the United States and Libya. In March 1986, during the Gulf of Sidra incident, U.S. naval forces had sunk two Libyan patrol boats and struck a missile site on the Libyan coast after Libyan forces fired upon American aircraft conducting freedom of navigation exercises.^[61]

In the days surrounding the attack, the NSA intercepted a series of encrypted diplomatic cables between Tripoli and the Libyan People's Bureau (embassy) in East Berlin. According to leaked CIA and BND internal histories, and later reconstructions by journalists, these messages were sent using Crypto AG equipment whose built in weaknesses allowed rapid decryption.^[59][60]

Other research has raised questions about this attribution. Bart Jacobs, drawing on a source within the Dutch signals intelligence organisation TIVC, reports that Dutch analysts never saw Libyan communications encrypted with Crypto AG devices and suggests that the hit team responsible for the bombing may have used a different cipher system, possibly a manual cipher, for the traffic linked to La Belle.^[63] Jacobs notes that TIVC did not itself intercept the specific evidence cited by the United States and that French or American services would be best placed to clarify which system was used.^[63]

Despite these uncertainties about the cryptographic details, contemporary accounts agree that two Libyan diplomatic cables between East Berlin and Tripoli, intercepted and decrypted by Western intelligence, played a central role in the case President Ronald Reagan presented as "direct" and "irrefutable" proof of Libyan responsibility for the bombing and for the subsequent Operation El Dorado Canyon airstrikes.^[64][60]

Nine days after the bombing, on 14 April 1986, President Ronald Reagan ordered retaliatory airstrikes against Tripoli and Benghazi under the codename Operation El Dorado Canyon. In a nationally televised address explaining the strikes, Reagan declared that the United States possessed evidence of Libya's complicity that "is direct, it is precise, it is irrefutable."^[65] He stated that the evidence showed Libya's embassy in East Berlin had received orders to carry out the attack a week before it occurred, and that "the day after the bombing, they reported back to Tripoli on the great success of their mission."^[65]

Reagan's words made unmistakably clear that Tripoli's encrypted communications with its station in East Berlin had been intercepted and decrypted. The Washington Post noted that "Reagan appears to have jeopardized the Crypto operation" with this disclosure.^[65] The following day, journalists Bob Woodward and Patrick Tyler of the Washington Post published an article headlined "Libyan Cables Intercepted and Decoded", further detailing the intelligence chain.^[27]

The disclosure sent shockwaves through the intelligence community. NSA Director Lieutenant General William Odom recorded in his daily activity log on 15 April 1986 his alarm at the president's public statements.^[27] On 6 November 1986, Odom wrote a furious entry: "Who told Cong[ress] about Cry[pto] AG?", indicating that knowledge of the Crypto AG connection was leaking to Capitol Hill.^[27]

Libya was not the only government that took notice of the clues Reagan had provided. Iran, which knew that Libya also used Crypto AG machines, became increasingly concerned about the security of its own equipment. Hans Buehler, Crypto AG's top salesman, was questioned extensively by Iranian officials during a visit to Tehran in 1986, shortly after the bombing and the U.S. strikes on Libya.^[65] Tehran did not act on those suspicions for another six years, but the seed of distrust that would ultimately lead to Buehler's arrest in 1992 was planted in the aftermath of Reagan's address.^[65]

The U.S. airstrikes themselves killed at least 30 Libyan soldiers and 15 civilians; one of the bombs struck Gaddafi's personal compound in the Bab al-Azizia barracks, reportedly killing his adopted infant daughter Hana, although both the claim and her existence have been disputed.^[61] British Prime Minister Margaret Thatcher had granted the United States permission to use the Royal Air Force base at Lakenheath for the operation. Reagan subsequently pressed the U.S. Senate for quick ratification of an extradition treaty with Britain as a gesture of gratitude for Thatcher's support.^[27]

No individual was officially charged with the La Belle bombing until after the reunification of Germany in 1990 and the opening of the Stasi archives in East Germany.^[61] Stasi files led German prosecutor Detlev Mehlis to Musbah Abdulghasem Eter, a Libyan intelligence operative who had worked at the Libyan People's Bureau in East Berlin.^[61] In November 2001, a Berlin court convicted four defendants, including Eter, and ruled that the bombing had been "planned by the Libyan secret service and the Libyan Embassy."^[61] However, the court was unable to prove the direct personal involvement of Gaddafi and notably complained about "the limited willingness" of the German and American governments to share classified intelligence material with the tribunal.^[61]

The reluctance of both Washington and Berlin to share intelligence with the court is consistent with the broader pattern identified throughout the Crypto AG operation: governments exploited the intercepted communications for their own purposes but were unwilling to expose the source of the intelligence in legal proceedings, lest the entire programme be compromised.^[27]

The Iran-Iraq War, which lasted from September 1980 to August 1988 and killed an estimated one million people, generated what the leaked CIA internal history describes as the single largest volume of intelligence derived from Crypto AG compromised devices. Both Iran and Iraq were major Crypto AG customers throughout the conflict, and the NSA's ability to read their communications provided the United States with an extraordinary window into both sides of one of the deadliest wars of the late 20th century.^[1]

In 1981, the year after the war began, Crypto AG's customer ledger listed Iran as the company's second-largest client and Iraq as the fifth-largest, behind Saudi Arabia, Iran, Italy, and Indonesia.^[1] Both governments relied on Crypto AG equipment for their diplomatic and military communications, and both were using devices whose algorithms had been designed by the NSA and whose output was readily decryptable by Western intelligence agencies.^[66]

The Hermetic Systems analysis of the NSA-Crypto AG relationship noted that "Hussein's artful slaughter of Iranians was aided by good military intelligence" and that "the role of NSA in the conflict is an open secret in Europe, the Middle East, and Asia."^[66]

The Washington Post investigation, drawing on the leaked CIA internal history, provided precise figures for the intelligence yield from Iran during the war. U.S. spy agencies intercepted more than 19,000 Iranian communications sent via Crypto AG machines during the decade-long conflict, "mining them for reports on subjects such as Tehran's terrorist links and attempts to target dissidents."^[1] According to the CIA document, Iran's communications were "80 to 90 percent readable" to U.S. spies, "a figure that would probably have plunged into the single digits had Tehran not used Crypto's compromised devices."^[1]

This volume of intercepts made Iran one of the most thoroughly surveilled nations in the world. The NSA could track Iranian military orders, troop movements, logistics, and diplomatic negotiations in near-real time. The intelligence covered not only the battlefield but also Iran's broader foreign policy, including its support for Hezbollah in Lebanon, its efforts to target Iranian dissidents abroad, and its back-channel communications with other governments in the region.^[1]

The most controversial dimension of the Crypto AG-derived intelligence during the Iran-Iraq War was its passage to Saddam Hussein's government. According to the Hermetic Systems analysis, "one of the dirty little secrets of the 1980s is that the U.S. regularly provided Iraq's Saddam Hussein with top-secret communication intercepts by the U.S. National Security Agency."^[66]

The Reagan administration's "tilt" toward Iraq was formalised after Donald Rumsfeld, serving as President Reagan's special envoy, met with Saddam Hussein in Baghdad in December 1983. Following Rumsfeld's visit, the United States restored full diplomatic relations with Iraq, removed Iraq from the State Sponsors of Terrorism list, and began providing Iraq with economic credits, agricultural commodities, and "dual-use" goods with military applications.^[67] The National Security Archive's Iraq Project, which published a 10,000-page document collection on the "Iraqgate" scandal, has documented "the extensive financial, intelligence, and (at minimum, indirect) military support provided to Saddam Hussein by the Reagan and first Bush administrations, in full knowledge of Iraq's repressive policies and widespread and illegal use of chemical weapons."^[67]

A critical component of this support was the sharing of signals intelligence derived from intercepted Iranian communications. The Crypto AG operation made this particularly efficient: because the NSA could read Iranian military traffic encrypted on compromised Crypto AG machines, it could provide Baghdad with timely and accurate intelligence about Iranian troop dispositions, planned offensives, and logistical vulnerabilities. This intelligence was shared through U.S. military liaison channels and contributed directly to Iraqi battlefield decisions.^[66]

Iraq was itself a Crypto AG customer, and over time, Saddam Hussein's regime became increasingly wary of foreign-supplied encryption technology. Unlike Iran, which continued to use Crypto AG equipment well into the 2000s, Iraq eventually moved toward domestically produced encryption systems. According to Spyscape's analysis of the operation, Saddam Hussein "insisted on domestic production to tighten security", a decision driven by a general climate of paranoia about Western intelligence penetration rather than any specific discovery of the Crypto AG backdoors.^[68]

This transition reduced the intelligence yield from Iraqi communications but did not eliminate it entirely, as Iraq continued to use some Crypto AG equipment alongside its domestic systems throughout the 1980s.^[68]

The passage of NSA intelligence to Saddam Hussein's military took on a particularly dark dimension in the context of Iraq's use of chemical weapons. Iraq employed mustard gas and nerve agents against Iranian forces repeatedly during the war, and in the final stages of the conflict, turned these weapons against its own Kurdish population in the Anfal genocide (1986-1989), which killed an estimated 50,000 to 200,000 Kurdish civilians.^[67] The United States was aware of Iraq's chemical weapons use from early in the conflict; a declassified DIA analysis from 1983 confirmed Iraqi chemical attacks on Iranian positions.^[67]

The knowledge derived from Crypto AG intercepts placed the U.S. intelligence community in an acute ethical position: the same signals intelligence that revealed Iranian military plans was being shared with a regime that was simultaneously using weapons of mass destruction against both Iranian soldiers and Iraqi Kurdish civilians. The leaked CIA and BND internal histories, according to the Washington Post, "largely avoid more unsettling questions, including what the United States knew, and what it did or didn't do, about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses."^[1]

The long tail of Iran's use of Crypto AG equipment led to one of the incidents that most directly threatened to expose the operation. On 6 August 1991, former Iranian Prime Minister Shapour Bakhtiar was assassinated in his home in Suresnes, a suburb of Paris. The following day, before the French police had publicly announced the discovery of Bakhtiar's body, the Iranian intelligence service transmitted a coded message to Iranian embassies asking whether "Bakhtiar is dead."^[66] Western intelligence agencies, reading the Iranian traffic via Crypto AG devices, deciphered this message, establishing that Tehran had advance knowledge of the assassination.^[66]

The Bakhtiar case deepened Iran's suspicions about the security of its Crypto AG equipment. When Iran arrested Hans Buehler in Tehran in March 1992, Iranian interrogators questioned him repeatedly about the company's relationship with Western intelligence services and the compromised nature of its encryption products. As noted in the earlier section on the Buehler affair, the salesman was eventually released after nine months, but the chain of events linking the La Belle bombing disclosure of 1986 to the Iranian suspicions of 1986-1992 to the Bakhtiar intercept of 1991 and finally to Buehler's arrest in 1992 illustrates how the consequences of intelligence exploitation compounded over time, each incident narrowing the margin of operational security and bringing the programme closer to exposure.^[1]

The U.S. invasion of Panama in December 1989 produced one of the most striking single episodes in the history of the Crypto AG operation: the tracking of Panamanian dictator Manuel Noriega through intercepted Vatican communications.

General Manuel Noriega had risen to become Panama's de facto ruler after the death of Omar Torrijos in a 1981 plane crash.^[69] For decades, Noriega had served as a paid informant and asset of the CIA, receiving tens of thousands of dollars annually for intelligence on Cuba, Sandinista Nicaragua, and drug trafficking routes in the region.^[70] CIA Director William J. Casey reportedly described Noriega with the aphorism: "He's a bastard, but he's our bastard."^[70] In reality, Noriega was simultaneously selling American intelligence secrets to Cuba and Eastern European governments, and serving as a facilitator for the Medellín Cartel, pocketing an estimated US$100,000 to $200,000 per planeload of cocaine transiting Panama en route to the United States.^[70]

By 1988, Noriega had been indicted by federal grand juries in Florida on multiple charges of drug trafficking, racketeering, and money laundering.^[71] In May 1989, he annulled the results of a presidential election that had been won by a wide margin by opposition candidate Guillermo Endara, prompting international condemnation. In October 1989, he survived a coup attempt.^[71] On 15 December, Noriega's rubber-stamp National Assembly declared him "maximum leader" and stated that a "state of war" existed between Panama and the United States.^[71] The following day, Panamanian soldiers shot and killed an unarmed U.S. Marine officer.^[71]

On 20 December 1989, President George H. W. Bush launched Operation Just Cause, deploying approximately 24,000 troops to seize Noriega and install the democratically elected Endara government.^[71][72] Organised Panamanian resistance was overwhelmed within four days, though fighting continued for several weeks. Estimates of casualties vary: 23 U.S. troops were killed, along with approximately 450 Panamanian soldiers and several hundred civilians, with some estimates placing the civilian toll in the thousands.^[73]

The Holy See (Vatican) was among the more than 120 countries and entities that purchased Crypto AG encryption devices for their diplomatic communications.^[1][74] The Vatican's global network of Apostolic Nunciatures (diplomatic missions) communicated with the Secretariat of State in Vatican City using these devices, believing their messages to be secure. In practice, the encryption in the Vatican's Crypto AG machines had been designed by the NSA and was readily breakable.^[1]

When reports of Crypto AG's links to Western intelligence surfaced following the Buehler affair in the 1990s, the Vatican was informed of the details surrounding the compromised equipment. According to one account, the Holy See "showed a marked lack of charity" toward Crypto AG upon learning that the Swiss company it had trusted with the security of its global diplomatic communications had been a tool of American espionage.^[75]

When Operation Just Cause was launched on 20 December 1989, Noriega evaded the initial assault. The U.S. military conducted an intensive four-day manhunt, offering a US$1 million bounty for his capture and deploying Delta Force and Navy SEALs under Operation Nifty Package to destroy his private jet and gunboat to prevent his escape.^[71][72]

On the fifth day of the invasion, Noriega telephoned Monsignor José Sebastián Laboa, the Papal Nuncio in Panama City, and requested sanctuary at the Apostolic Nunciature (the Vatican's diplomatic mission).^[71] Laboa, given only ten minutes to decide and without conferring with the Vatican, agreed to allow Noriega onto the mission's grounds, though he later confided that from the very start his intention was to convince Noriega to surrender rather than to grant genuine asylum.^[71]

According to the leaked CIA papers, as reported by Swiss public broadcaster SRF and republished by Swissinfo, the United States "received the first indication that he was in the Vatican embassy, thanks to the Vatican's 'Minerva'-enabled communications."^[76] In other words, when the Nunciature transmitted a message to Vatican City reporting that Noriega had sought refuge on its premises, the communication was encrypted using a Crypto AG device with a deliberately weakened algorithm. The NSA intercepted and decrypted the message, alerting U.S. military commanders to Noriega's precise location.^[77]

The Washington Post confirmed the episode: "In 1989, the Vatican's use of Crypto devices proved crucial in the U.S. manhunt for Panamanian leader Manuel Antonio Noriega. When the dictator sought refuge in the Apostolic Nunciature, his whereabouts were exposed by the mission's messages back to Vatican City."^[77]

With Noriega's location now confirmed, U.S. forces surrounded the Nunciature. Secretary of State James Baker wrote to the Vatican, insisting that the case represented "an exception to diplomatic immunity" and that having "lost American lives to restore democracy in Panama, we cannot allow Noriega to go to any other country than the United States."^[71] Vatican spokesman Joaquín Navarro-Valls responded that the Holy See would not comply with American demands to hand over Noriega, and clarified that Pope John Paul II had spoken on the matter only to "lament the deaths caused by 'absurd imprudence.'"^[71]

U.S. forces then resorted to psychological warfare, blasting rock music at the Nunciature at deafening volume around the clock, revving the engines of armoured vehicles against the mission's fence, and bulldozing a neighbouring field to create a helicopter landing zone.^[71][72] National Security Adviser Brent Scowcroft later described the sonic assault on the Papal Nunciature as "a low moment in U.S." military conduct.^[71]

Inside the mission, Monsignor Laboa conducted what he later described as a "precisely calibrated psychological campaign" of his own, working to isolate Noriega from his four companions (including the head of Panama's secret police) and gradually persuading him that resistance was futile.^[71] On 3 January 1990, after ten days of siege, Noriega attended Holy Mass in the Nuncio's chapel. Monsignor Laboa's homily concerned the thief on the cross who in his final moment asked God to change his life.^[71] After the service, Noriega dressed in full military uniform and surrendered to U.S. forces at the front gate. He was immediately flown to Miami, where he was arraigned on criminal charges.^[73] On 9 April 1992, Noriega was convicted of cocaine trafficking, racketeering, and money laundering; in July 1992 he was sentenced to 40 years in prison (later reduced to 30).^[73]

The Panama episode demonstrated the reach of the Crypto AG operation into an institution that most observers would have considered beyond the scope of Cold War intelligence gathering. The Vatican's role was that of an unwitting third party: its encrypted communications had inadvertently exposed the fugitive whom it was sheltering. The incident also highlighted the breadth of the Minerva customer list; the fact that even the Holy See, an entity with no military forces and no role in the geopolitical rivalries of the Cold War, was using compromised Crypto AG equipment underscored the programme's indiscriminate scope.^[78]

The murder of former Iranian Prime Minister Shapour Bakhtiar on 6 August 1991 and its detection through Crypto AG-intercepted communications constituted the incident that most directly precipitated the crisis leading to the arrest of Hans Buehler in 1992. The episode demonstrated both the extraordinary reach of the Crypto AG intelligence programme and the danger that its exploitation could generate a chain of suspicion among target governments.

Shapour Bakhtiar was born on 26 June 1914 into the leading family of the Bakhtiari tribe of southwestern Iran. His maternal grandfather had twice served as Prime Minister during the Constitutional Revolution.^[79] Educated at the Sorbonne, Bakhtiar had fought in the Spanish Civil War against Franco's Nationalists and served in the French Resistance during the Second World War.^[80] In January 1979, as the Iranian Revolution intensified, Shah Mohammad Reza Pahlavi appointed Bakhtiar as his last Prime Minister, a position he held for only 36 days before the triumph of Ayatollah Khomeini's revolution forced him into exile in France.^[79]

From his home in Suresnes, a western suburb of Paris, Bakhtiar led the National Movement of Iranian Resistance, which opposed the Islamic Republic from abroad.^[81] He survived a first assassination attempt on 18 July 1980, in which a five-man hit squad with ties to the newly established Islamic Republic attacked his residence in Neuilly-sur-Seine, killing a French policeman and a neighbour. The attackers, led by Lebanese operative Anis Naccache, were captured and sentenced to life imprisonment, but were pardoned by President François Mitterrand in July 1990 and flown to Tehran.^[81][80]

On 6 August 1991, three Iranian men gained access to Bakhtiar's heavily guarded residence in Suresnes. One of them, Fereydoon Boyer-Ahmadi, was well known to Bakhtiar and had cultivated a relationship of trust with the former Prime Minister over an extended period, serving as what the Iran Human Rights Documentation Center later described as "a Trojan horse."^[82] The three assassins entered the residence after handing their passports to Bakhtiar's police guards, and were admitted under the pretence of a business meeting.^[80]

Inside, the assassins strangled and repeatedly stabbed Bakhtiar and his secretary, Soroush Katibeh, using knives from Bakhtiar's own kitchen.^[80] Their bodies were not discovered for at least 36 hours, despite the presence of heavy police protection around the building.^[83]

What happened next has often been cited as a key example of the reach of Western codebreaking against Iranian communications. Before the French police had publicly announced the discovery of Bakhtiar's body, the Iranian intelligence service transmitted a coded message to Iranian embassies around the world asking whether "Bakhtiar is dead".^[84] Western intelligence agencies intercepted and deciphered this traffic, establishing that Tehran had prior knowledge of the assassination and was seeking confirmation of its success via supposedly secure diplomatic channels.^[84]

In an internal BND "Gedächtnisprotokoll" dated December 2009, later summarised by Bart Jacobs, these messages were described as having been enciphered using devices supplied by Crypto AG and were presented as dramatic proof that Iran's Crypto AG based diplomatic communications had been compromised.^[63] Jacobs, however, drawing on a closely involved source in Dutch intelligence, reports that the controversial Iranian messages did not use Crypto AG devices at all but a relatively complex manual cipher, whose cipher texts were intercepted and broken by the Dutch TIVC organisation and several other signals intelligence services.^[63] If this account is correct, the Bakhtiar intercept demonstrates the vulnerability of Iran's manual cryptographic systems and operational security rather than a direct exploitation of Crypto AG equipment, even though the affair still contributed to Iranian suspicions about the company.

The assassination itself was described by investigators as "a perfect murder", but the escape plan quickly unravelled.^[80] Two of the three assassins, Ali Vakili Rad and Mohammad Azadi, were to flee through Switzerland and be flown to Iran. Travelling under forged Turkish passports, they took the train toward the Swiss border, but became lost in Lyon (France) because they spoke no French and disembarked at the wrong railway station.^[80] Azadi eventually reached Geneva and was successfully exfiltrated to Iran, but Vakili Rad was found wandering the banks of Lake Geneva and was arrested by Swiss authorities.^[80]

French investigators traced the support network to Zeynalabedin Sarhadi, a great-nephew of then-President Akbar Hashemi Rafsanjani, who had arrived in Switzerland on 13 August 1991 under the pretext of working as an archivist at the Iranian embassy and had made hotel reservations for the assassins.^[79][80] Prior to and after the murder, members of the assassination support team had made numerous phone calls from an apartment in Switzerland to numbers at Iran's Telecommunications Ministry that were used by Iranian intelligence agents.^[79]

In December 1994, a French court convicted Vakili Rad and sentenced him to life imprisonment. Sarhadi was acquitted.^[80] Vakili Rad was paroled on 19 May 2010 after serving 18 years and was immediately deported to Iran, where he was received as a hero by government officials. His release came just two days after Tehran freed Clotilde Reiss, a French student accused of spying by the Islamic Republic; both the French and Iranian governments denied the two events were linked.^[80]

Boyer-Ahmadi, the third assassin who had served as the Trojan horse, escaped to Iran and was never brought to trial. He died of COVID-19 in Tehran on 7 August 2021, almost exactly 30 years after the murder, and was buried at Behesht-e Zahra cemetery.^[82]

In 2002, a U.S. federal judge awarded Bakhtiar's daughter France Mokhtab Rafi'i US$305 million in punitive damages against the Islamic Republic of Iran, of which $300 million was assessed against the Ministry of Intelligence specifically. A further $12 million in compensatory damages was awarded to Bakhtiar's widow Shahintaj in 2008.^[79]

The Bakhtiar episode's significance within the Crypto AG narrative lies not only in its demonstration of the programme's intelligence value, but in its role as a catalyst for the crisis that nearly destroyed the entire operation. Iranian suspicions had been building since 1986, when President Reagan's public statements about intercepted Libyan communications signalled that Western intelligence could read supposedly secure diplomatic traffic, which many in Tehran associated with their own Crypto AG equipment.^[59] The interception of the "is Bakhtiar dead?" cable deepened Iran's already growing suspicions about the integrity of its Crypto AG equipment. Tehran knew that the cable had been sent over its supposedly secure diplomatic channels, yet Western governments had clearly obtained its contents. As noted in the earlier section on the La Belle bombing, Iranian suspicions had been building since 1986, when President Reagan's public statements about intercepted Libyan communications made it clear that Crypto AG-encrypted traffic was being read.^[1]

The chain of events from 1986 to 1991 created an escalating pattern of exposure risk: the La Belle bombing disclosures had planted the seed of distrust in Tehran; the Bakhtiar intercept had confirmed that Iran's own diplomatic channels were compromised; and by March 1992, Iran was sufficiently alarmed to arrest Hans Buehler on his next visit to Tehran. The Buehler affair, as described in the earlier sections, then triggered the most serious security breach in the programme's history and ultimately led to the BND's withdrawal from the partnership in 1993.^[1]

Former IRGC Minister Mohsen Rafiqdoust, in a 2025 interview with the Tehran-based news website Didban Iran, provided what amounted to an Iranian government confession regarding the Bakhtiar assassination, stating that he had personally supervised the operation and that Khomeini himself had endorsed the death sentence against Bakhtiar.^[85] The broader campaign of which the Bakhtiar assassination formed a part was extensive: according to a 2024 report by the Abdorrahman Boroumand Center, the Islamic Republic was responsible for 862 extrajudicial executions and 124 attempted kidnappings or assassinations of opponents over four decades, making it one of the most prolific state sponsors of political assassination in modern history.^[85]

Yugoslavia's relationship with Crypto AG is unique in the history of the operation. It was, by multiple accounts, the only country in the world whose cryptographic experts independently discovered that their Crypto AG devices had been deliberately weakened, forced the company to repair them, and thereafter maintained secure communications that Western intelligence agencies were unable to break, even during the Yugoslav Wars of the 1990s,^[86][87] although Austria had also identified vulnerabilities.^[88]

Yugoslavia was among the very first non-Western countries to purchase Crypto AG equipment. According to the leaked CIA internal history, Yugoslavia bought 121 CX-52 cipher machines as early as 1957, making it one of the company's best and most important customers outside the NATO alliance.^[89][90] The BND's companion history noted that the initial 1957 purchase consisted only of older mechanical Crypto devices that the CIA and NSA were "most likely able to intercept."^[90]

Yugoslavia's strategic position as a non-aligned socialist state, independent of both the Soviet bloc and NATO, made it an especially attractive intelligence target. As the Minerva files noted, Yugoslavia was "an important espionage target" from the very beginning of its relationship with Crypto AG.^[91] The CIA's customer list, as reproduced in the Croatian investigative outlet Portal Novosti, placed Yugoslavia alongside Saudi Arabia, Iran, Italy, Indonesia, Argentina, Iraq, Libya, Jordan, and South Korea as the company's top clients. "Each of these countries," the Minerva history stated, "was an important intelligence target."^[86]

In the mid-1970s, the Yugoslav People's Army (JNA) acquired then-modern electronic MCC-314 bulk encryption devices from Crypto AG for several hundred thousand Swiss francs, for use on the military's command communications networks.^[89][88] The devices had been manipulated by the BND: according to the CIA's internal report, cited by ZDF, the algorithm had been designed by a BND employee identified only as "S.", who "used a synchronisation scheme to make the device readable."^[90][88]

The BND's method, however, proved too crude to escape notice. According to the Crypto Museum, both Austria and Yugoslavia independently detected the weakness in 1974, after which the company's head of research and development, Peter Frutiger, was sent to repair the affected devices.^[92][22][23] The CIA history itself conceded that the "German scheme was too transparent, so that several customers, including the Yugoslavs and the Austrians, discovered the readability of the machine."^[88] The Austrian discovery was later confirmed in Austrian media, though the precise date of Austria's detection remained unclear.^[88]

Yugoslavia's cryptographic experts, by contrast, identified the vulnerability almost immediately. Multiple Serbian-language sources, drawing on the Deutsche Welle reporting and the SRF documentary, described the chain of events that followed. The JNA's specialists confronted Crypto AG with their findings and delivered an ultimatum: either the company would send a technician to repair the devices, or Yugoslavia would publicly expose the manipulation.^[91][89] The Serbian newsmagazine Nedeljnik published a detailed investigation in February 2020 describing how the JNA's Electronics and Communications Directorate had received the compromised device (identified in the Nedeljnik report as the HC-5205 model, apparently a later variant) and established that "every message sent through this device would end up directly, in real time, at the headquarters of the American National Security Agency."^[93]

The threat of public exposure prompted an emergency meeting at Crypto AG headquarters. The company dispatched Bruno von Ah, an engineer who was not aware of the CIA-BND ownership or the deliberate manipulation of the devices, to Belgrade. Von Ah later recounted in an interview with Swiss television SRF that he travelled to Belgrade, examined the devices, and discovered that they could indeed be made "unreadable," i.e. genuinely secure.^[86][91] He reprogrammed the algorithms, rendering the Yugoslav equipment cryptographically sound. "After that," the sources reported, "Yugoslavia was no longer a topic at Crypto AG."^[89]

The Croatian investigative portal Portal Novosti noted that "Yugoslavia had a highly developed cryptology," a point confirmed by German intelligence historian Erich Schmidt-Eenboom, and that "a series of specialists from this field, essentially a branch of mathematics, collaborated with the JNA."^[86]

The Yugoslav discovery had a direct consequence a decade and a half later, when the Yugoslav Wars erupted in 1991. As the conflict began, Crypto AG management approached Bruno von Ah and asked him what kind of devices had been sold to Yugoslavia. In his SRF interview, Von Ah recalled: "Then people from the management came and asked me what devices had been sold to Yugoslavia. At that moment, it became clear to me who I was really working for."^[91][89]

Western intelligence services attempted to intercept communications of the JNA and subsequently of the Serbian forces that inherited much of its equipment. However, because the Yugoslav devices had been repaired and rendered genuinely secure in the late 1970s, these efforts were unsuccessful.^[86] The Kosovo Albanian newspaper Koha Ditore, citing its own investigative sources within the Crypto AG file, reported that "on the eve of the outbreak of the war in Yugoslavia, the specialists of the Yugoslav People's Army probably discovered that the devices were manipulated and complained to the Swiss. Afraid that the Yugoslavs might talk about this sensitive issue, the sellers of the Crypto AG firm sent them devices in good condition."^[87] Koha Ditore added that "the CIA and the BND complained to the Swiss firm about what had happened: that the surveillance of the Yugoslavs was no longer working."^[87]

Portal Novosti summarised the outcome in a sentence: "The Yugoslav affair with Crypto AG had consequences all the way into the 1990s: Western intelligence services attempted during the wars here to intercept the communications of Serbian armies, but unsuccessfully."^[86]

Yugoslavia's case is thus doubly significant within the history of the Crypto AG operation. It demonstrates both the vulnerability of the programme to detection by countries with genuine cryptographic expertise, and the long-term intelligence consequences of a target nation's successful countermeasures. While the BND's clumsy algorithm design was corrected for other clients, and the NSA subsequently took a more active role in designing less detectable weaknesses, the Yugoslav repair appears to have had a lasting effect. According to Portal Novosti and Koha Ditore, Western efforts to intercept JNA and later Serbian military communications during the 1990s wars were unsuccessful, though the leaked histories do not detail how comprehensively the repaired equipment protected Yugoslav traffic in the decades that followed.^[86][87]

The Gulf War of 1990-1991 took place against the backdrop of years of Crypto AG-derived intelligence on both Iraq and Kuwait, two of the company's most significant Middle Eastern clients. Both Iraq and Kuwait were Crypto AG customers, and the leaked histories confirm that the NSA could read Iraqi traffic for much of the relevant period.^[1] The declassified record does not, however, establish whether or how Crypto AG intercepts figured in the planning of Operation Desert Storm, and any link between the programme and the coalition's wartime intelligence advantage remains inferential.^[66]

On 2 August 1990, Iraqi forces invaded and occupied the emirate of Kuwait, precipitating an international crisis.^[94] The invasion was motivated by a combination of territorial claims, disputes over oil production quotas, and Iraq's crushing debt burden following the eight-year Iran-Iraq War.^[94]

Kuwait had been a significant Crypto AG customer and user of the company's encryption products for its diplomatic and military communications.^[1] The Spyscape analysis of the Minerva files explicitly identified Kuwait as one of the countries whose communications were vulnerable to interception via Crypto AG devices.^[37] After the invasion, Kuwait's communications infrastructure, including its Crypto AG equipment, fell under Iraqi control, though the exiled Kuwaiti government continued to communicate from Saudi Arabia using its own devices.

For the preceding decade, as detailed in the section on the Iran-Iraq War, the United States had been sharing NSA-derived signals intelligence with Saddam Hussein's government, including intercepts of Iranian communications obtained through compromised Crypto AG equipment.^[66] The invasion of Kuwait abruptly transformed Iraq from a recipient of American intelligence into its primary target. The same Crypto AG vulnerabilities that had been exploited to help Iraq during the Iran-Iraq War now became tools for reading Iraqi military and diplomatic traffic in preparation for a war against Iraq.^[66]

The irony was not lost on contemporary observers. The Hermetic Systems analysis noted that "when in 1991 the government of Kuwait paid the public relations firm of Hill & Knowlton ten million dollars to drum up American war fever against the evil dictator Hussein, it brought about the end of a long legacy of cooperation between the U.S. and Iraq."^[95]

The U.S. Central Command, led by General Norman Schwarzkopf, assembled a 34-nation coalition of approximately 660,000 troops.^[94] Operation Desert Storm began on 17 January 1991 with an extensive aerial bombardment campaign. One of the initial objectives of the air war was the destruction of Iraq's command-and-control communications infrastructure, including radio transmitters, telephone exchanges, and military communications nodes.^[94]

Iraq's continued use of Crypto AG equipment during this period, combined with the NSA's intimate knowledge of the algorithms embedded in those devices, would have provided coalition intelligence analysts with a significant advantage in reading any Iraqi communications that survived the bombing campaign and were transmitted via the compromised machines. By 1990, Iraq ranked among the top five Crypto AG customers globally, and the CIA's internal history confirmed that Iraqi communications had been a target of exploitation for the preceding two decades.^[1]

However, as noted in the Iran-Iraq War section, Saddam Hussein had over the years become increasingly wary of foreign-supplied encryption and had begun transitioning toward domestically produced systems. The extent to which Iraqi military commanders in the field relied on Crypto AG equipment versus domestic alternatives during the Gulf War remains unclear from the available sources. What is documented is that the CIA provided "intelligence support to the U.S. military in Operation Desert Shield and Operation Desert Storm" and that, after the war, "CIA took steps to correct the shortcomings identified during the Gulf War and improve its support to the US military."^[96]

The Gulf War ended on 28 February 1991, 100 hours after the ground campaign began, with a decisive coalition victory. Iraqi casualties were estimated in the tens of thousands, while coalition losses were comparatively light: 148 American troops killed in action and fewer than 100 casualties among other coalition nations.^[94]

The Gulf War marked a turning point in Iraq's relationship with Crypto AG. While Iraq had already been diversifying its encryption capabilities before the conflict, the war accelerated the shift away from commercially procured foreign equipment toward systems developed under tighter state control. The broader lesson of the Gulf War from the perspective of the Crypto AG programme was that the same intelligence relationship could serve diametrically opposed purposes within the span of a few years: equipment and intercepts that had been used to assist Iraq against Iran were repurposed to facilitate the destruction of Iraqi military capabilities less than three years later.^[95]

India and Pakistan, described by the Washington Post as "nuclear rivals", were both confirmed customers of Crypto AG.^[97] Le News, in its summary of the 62 countries specifically named in the leaked Minerva documents, listed both India and Pakistan among the nations whose diplomatic and military communications were encrypted on compromised devices.^[98] The Indian news outlet The Quint reported that while the Minerva files did not specify which senior Indian political leaders had been monitored or what kind of information had been exposed, both countries' communications were vulnerable throughout the 1970s to 1990s.^[99]

The South Asian subcontinent was a critical intelligence target for the United States throughout the Cold War and its aftermath. India, as the leader of the Non-Aligned Movement, and Pakistan, as a key American ally in the containment of the Soviet Union (and later in the Afghan jihad), both required close monitoring. The compromised Crypto AG equipment gave the NSA and CIA a continuous window into the diplomatic calculations, military planning, and inter-governmental communications of both nations during periods of acute tension, including the Indo-Pakistani War of 1971, the aftermath of India's first nuclear test (Smiling Buddha, 1974), and the intensifying nuclear and missile competition of the 1980s and 1990s.^[99][100]

The Week reported that Crypto AG equipment "accounted for roughly 40 per cent of the diplomatic cables and other transmissions by foreign governments that cryptanalysts at the NSA decoded and mined for intelligence", and that both India and Pakistan fell within this vast surveillance net.^[100] The intelligence derived from these intercepts would have covered not only bilateral Indian-Pakistani tensions but also both countries' relations with the China, the Soviet Union, and the broader South Asian diplomatic environment.^[99]

The most dramatic episode involving both countries and Western intelligence during this period, the Indian nuclear tests of May 1998 (codenamed Operation Shakti), illustrates both the potential and the limitations of the Crypto AG intelligence programme.

On 11 and 13 May 1998, India conducted a total of five underground nuclear tests at the Pokhran test range in Rajasthan, including a thermonuclear device.^[101] The tests were carried out under conditions of extraordinary secrecy. The Indian Intelligence Bureau was aware that U.S. spy satellites were monitoring the Pokhran range, and the Indian Army's 58th Engineer Regiment was tasked with preparing the sites without detection.^[102] Scientists worked only at night, wore army uniforms, used codewords (the hydrogen bomb shaft was designated "White House"), and aligned excavated sand dunes to match prevailing wind patterns so that they would appear natural to satellite imagery analysts.^[103]

The tests caught the U.S. intelligence community completely by surprise. Director of Central Intelligence George Tenet publicly admitted: "While the Intelligence Community has for years closely followed the Indian nuclear program, there is no getting around the fact that we did not predict these particular Indian nuclear tests. We did not get it right. Period."^[104] Senator Richard Shelby, chairman of the Senate Select Committee on Intelligence, called it "the intelligence failure of the decade."^[105] A subsequent review led by retired Admiral David E. Jeremiah examined the failure and recommended reforms.^[104]

The failure is significant within the context of the Crypto AG programme because it demonstrates the inherent limitations of signals intelligence, even when augmented by compromised encryption. India's test preparations were confined to an extremely small circle of senior officials and military personnel who communicated through face-to-face meetings and codewords rather than through diplomatic cables. APJ Abdul Kalam, who oversaw the programme as Scientific Adviser to the Defence Minister, and R. Chidambaram, chairman of the Atomic Energy Commission of India, restricted knowledge of the tests so tightly that even Defence Minister George Fernandes was reportedly excluded from a critical planning meeting.^[103] The compromised Crypto AG channels through which India's diplomatic and military traffic flowed simply did not carry the critical information, because the planners had deliberately kept it off all electronic communications. As the Arms Control Association noted, "the timing of the tests came as a surprise to the U.S. intelligence community" despite years of close monitoring of the Indian nuclear programme.^[101]

Pakistan responded with its own series of nuclear tests at Chagai on 28 May and 30 May 1998. Unlike the Indian tests, Pakistan's preparations were detected in advance by U.S. intelligence; satellite imagery observed accelerating tunnel-boring and monitoring equipment setup at Ras Koh in the days before the detonations.^[102] The Clinton administration applied intense diplomatic pressure on Pakistani Prime Minister Nawaz Sharif to refrain from testing, but ultimately Sharif concluded that domestic political survival required a response. According to nuclear weapon archives, his exact words to the chairman of the PAEC were: "Dhamaka kar dein" ("Conduct the explosion").^[102]

The Indian and Pakistani episodes together illuminate the paradox at the heart of the Crypto AG programme. The operation provided the CIA and NSA with an extraordinary volume of diplomatic intelligence from both countries over decades, but when the most consequential strategic development of the era occurred, the intelligence derived from compromised encryption proved insufficient to provide advance warning. The programme could reveal what governments were saying to each other through formal channels; it could not reveal what a handful of individuals had agreed to do in a room with no telephones.^[99]

The leaked CIA internal history, completed circa 2004, concluded with the assessment that "at the turn of the century Minerva was still alive and well."^[106] Nevertheless, the operation was entering its final phase. By the early 2000s, the commercial encryption landscape had been transformed beyond recognition. The global spread of software-based encryption, the emergence of secure internet protocols, and the availability of strong commercial cryptographic products from companies with no connection to Western intelligence agencies eroded the market dominance that Crypto AG had enjoyed for half a century.^[106]

The Washington Post reported that by the mid-1990s, "the days of profit were long past" and that Crypto AG "would have gone bankrupt without financial infusions" from the CIA.^[106] The company's customer base was shrinking as governments adopted newer technologies, though many continued to use their existing Crypto AG hardware well into the 2000s and even the 2010s. The Week of India reported that, as of 2020, "Crypto's products are reportedly still in use in more than a dozen countries around the world."^[107]

At the same time, the NSA's attention was shifting to new targets. "U.S. intelligence agencies appear to have been content to let the Crypto operation play out," the Post reported, "even as the NSA's attention shifted to finding ways to exploit the global reach of Google, Microsoft, Verizon, and other U.S. tech powers."^[106] The 2013 Snowden revelations exposed the scale of the NSA's digital surveillance programmes, including PRISM, which gave the agency direct access to the servers of major American technology companies.^[99] The Quint observed that the Crypto AG story and the Snowden leaks were two sides of the same coin: "Crypto AG's reach and duration help to explain how the United States developed an insatiable appetite for global surveillance."^[99]

Although the BND formally withdrew from the Crypto AG partnership in 1993, the German intelligence service continued to exploit the cryptographic knowledge it had acquired during the two-decade joint operation. According to the Washington Post, Italian diplomatic traffic encrypted on Crypto AG devices "was reportedly still being deciphered around 2001," indicating that the BND was independently reading the communications of a fellow EU and NATO member state well into the 21st century.^[106] The broader question of which other countries' traffic the BND continued to read after 1993 remains unanswered in the publicly available documents.

In 2017, Crypto AG's headquarters building near Zug was sold to a commercial real estate company.^[106] In 2018, the company's remaining assets were split and sold to two successor entities. CyOne Security AG was formed through a management buyout by former Crypto AG employees and now sells encryption systems exclusively to the Swiss government. Crypto International AG was established by Swedish entrepreneur Andreas Linde, who acquired the brand name, international product portfolio, and customer relationships.^[106][98]

The Washington Post described the transactions as appearing "designed to provide cover for a CIA exit."^[106] CyOne's purchase was structured so that its employees could move into a new company insulated from espionage risks, with the Swiss government, which "was always sold secure versions of Crypto's systems," as its sole customer.^[106]

When confronted with the evidence by journalists, Linde, who had been attracted to the company by its Swedish heritage and its connection to Boris Hagelin, denied any knowledge of the CIA-BND connection. CyOne likewise denied any relationship with intelligence services.^[106] The Swiss State Secretariat for Economic Affairs (SECO) suspended the export licences of Crypto AG's successors after the Federal Council's decision of December 2019. When the Federal Council declined to lift the resulting de facto export ban while the affair was under investigation, Crypto International announced in July 2020 that it would cut 83 of its 85 Swiss jobs, and in August 2020, after a failed request for the decision to be reconsidered, the Linde couple filed for bankruptcy at the Zug Office for Economic Affairs and Labour.^[108][109] The Lindes had by then registered a successor company, Asperiq AG, in the commercial register, with a stated purpose of manufacturing telecommunications and consumer-electronics goods.^[109]

The Washington Post estimated that over the course of its half-century of operation, the Crypto AG programme allowed the CIA and its partners to read the encrypted communications of more than 120 countries. At its height, the programme accounted for roughly 40 percent of all diplomatic and military traffic that the NSA's cryptanalysts decoded worldwide, and for the BND it represented 90 percent of its diplomatic intelligence reporting.^[106]

The Anadolu Agency, in its summary of the revelations, quoted the CIA's own assessment from the Minerva history: "Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries."^[30]

The reference to "five or six" countries points to the Maximator alliance and possibly selected Five Eyes partners who also benefited from the compromised algorithms, extending the reach of the operation well beyond the two agencies that formally controlled it.^[29]

Cryptographer Bruce Schneier, commenting on the revelations the day they were published, wrote: "This is a big deal. It shows that the U.S. and its allies had been eavesdropping on the secret communications of many countries for decades."^[110] The Washington Post concluded its investigation with the observation that the NSA's "insatiable appetite for global surveillance" that was revealed by the Snowden leaks in 2013 had its roots in the institutional culture and capabilities built during the decades of the Crypto AG operation.^[106]

The following table lists countries and entities identified in the leaked CIA and BND internal histories, the Washington Post/ZDF/SRF investigation, the National Security Archive's declassified documents, and academic analyses as confirmed or reported customers of Crypto AG compromised encryption equipment. The list is not exhaustive; the Minerva files indicate that Crypto AG sold to more than 120 countries over its five-decade history, while 62 are specifically named in the documents.^[98] Countries that received secure, uncompromised versions of Crypto AG products (such as NATO's core members) are noted where known.

Known Crypto AG customer countries and entities

Country/Entity	Region	Source	Notes
Argentina	South America	NSA Archive; WaPo[50]	Condortel participant; used CX-52 and H-4605
Austria	Europe	Vienna.at; ZDF[88]	Discovered MCC-314 vulnerability in the 1970s
Belgium	Europe	WaPo[1]	NATO ally; received compromised equipment
Bolivia	South America	NSA Archive[50]	Operation Condor founding member
Brazil	South America	NSA Archive; Brustolin (2020)[53]	Supplied CX-52 machines to Condortel; purchased until 2019
Chile	South America	NSA Archive[50]	Hosted founding Condor meeting; purchased 1970s onward
Colombia	South America	NSA Archive[50]
Ecuador	South America	NSA Archive[50]	Joined Condortel 1978
Egypt	Middle East/Africa	WaPo; Le News[1][98]	Monitored during Camp David Accords, Suez Crisis
Greece	Europe	WaPo[1]	NATO ally; targeted over BND objections
India	South Asia	WaPo; The Quint[99]
Indonesia	Southeast Asia	WaPo; Gizmodo[1]	Among top five customers by 1981
Iran	Middle East	WaPo; Iran Times[1][47]	Second-largest customer by 1981; 80-90% traffic readable
Iraq	Middle East	WaPo; Hermetic[1][66]	Fifth-largest customer by 1981; later shifted to domestic systems
Ireland	Europe	Le News; WaPo[98]	EU member; targeted over BND objections
Italy	Europe	WaPo; Dobson (2020)[1]	NATO ally; traffic deciphered until circa 2001
Japan	East Asia	Le News; Gizmodo[98]
Jordan	Middle East	WaPo[1]	Listed as major client
South Korea	East Asia	Gizmodo; Le News[98]
Kuwait	Middle East	Spyscape[37]	Equipment seized during 1990 Iraqi invasion
Lebanon	Middle East	Le News[98]
Libya	North Africa	WaPo[1]	Sixth-largest customer by 1981; La Belle bombing intercepts
Mexico	North America	NSA Archive[50]
Nicaragua	Central America	NSA Archive[50]
Nigeria	West Africa	WaPo; Dark Reading[78]
Pakistan	South Asia	WaPo; The Quint[99]
Paraguay	South America	NSA Archive[50]	Operation Condor founding member
Peru	South America	NSA Archive[50]
Philippines	Southeast Asia	WaPo[1]
Portugal	Europe	Le News[98]	NATO ally
Saudi Arabia	Middle East	WaPo[1]	Largest customer by 1981
South Africa	Southern Africa	Spyscape[37]	Apartheid-era government
Spain	Europe	WaPo[1]	NATO ally; targeted over BND objections
Syria	Middle East	WaPo; Dark Reading[1][78]	Peter Frutiger secretly fixed devices in 1977
Thailand	Southeast Asia	WaPo[1]
Turkey	Europe/Middle East	WaPo[1]	NATO ally; targeted over BND objections
Uruguay	South America	NSA Archive[50]	Operation Condor founding member
Vatican City	Europe	WaPo; Dark Reading[1][78]	Nunciature communications compromised (Panama 1989)
Venezuela	South America	NSA Archive[50]
Yugoslavia	Europe	Nedeljnik; Portal Novosti[93][86]	Discovered manipulation; devices repaired in late 1970s

Countries confirmed as receiving secure (uncompromised) versions of Crypto AG products include Germany, Sweden, and Switzerland.^[111] Neither the Soviet Union nor the People's Republic of China ever purchased Crypto AG products, though several of their allied or client states did.^[1]

The Crypto AG revelations have generated a substantial body of scholarly and journalistic analysis concerning the ethical and legal implications of the operation. These questions fall into several overlapping categories.

The most consequential ethical question raised by the Minerva files is the extent to which the United States and West Germany possessed real-time knowledge of large-scale human rights abuses committed by governments using compromised Crypto AG equipment, and what, if anything, they did with that knowledge.

The leaked CIA internal history, as the Washington Post noted, "largely avoid[s] more unsettling questions, including what the United States knew, and what it did or didn't do, about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses."^[1] Greg Miller, the Post journalist who led the investigation, elaborated on this point in an NPR interview, observing that the CIA's internal history "doesn't do so well" at examining "the inevitable dilemmas that come out of an operation like this" and that "this ultimately comes down to an operation in which you were deceiving and exploiting dozens of other sovereign countries."^[6]

The Operation Condor dimension is particularly acute. As the National Security Archive documented, the Condor nations' encrypted communications, which coordinated the political extermination of more than 10,000 people in Argentina, over 3,000 in Chile, and hundreds more across the Southern Cone, were transmitted on Crypto AG devices whose output was readable by the CIA and NSA.^[50] Peter Kornbluh of the NSA Archive stated that the Minerva documents have "the ability to play an important role in securing our history" and called for the full declassification of the CIA's case study.^[50] The Washington Post reported that a 1976 internal CIA memo referred to instructions sent to ambassadors in the region to "express the serious concern of the U.S. government" regarding Condor assassination plots, but that the concern appeared directed primarily at operations outside the Condor countries' own borders, not at the domestic repression that constituted the bulk of the killing.^[52]

The Cambridge Review of International Affairs paper by Brustolin (2020) placed the ethical question in broader perspective, noting that "it was revealed that, through Crypto AG machines, the BND and CIA had profound knowledge of South American human rights abuses in the late 1970s" and that "American and German inaction in the face of these human rights violations indicates that there were other (as yet unknown) factors in play during this time."^[53]

Similarly, the Iran-Iraq War section of the operation raised questions about the passage of NSA-derived intelligence to Saddam Hussein's government at a time when Iraq was employing chemical weapons against Iranian troops and Kurdish civilians. The National Security Archive's Iraq Project documented that the Reagan and first Bush administrations provided "extensive financial, intelligence, and (at minimum, indirect) military support" to Iraq "in full knowledge of Iraq's repressive policies and widespread and illegal use of chemical weapons."^[67]

A related ethical question concerns the treatment of Crypto AG's own employees. The vast majority of the company's approximately 250 staff members had no knowledge that the devices they were designing, manufacturing, and selling were deliberately weakened. As Miller told NPR, "you are exploiting and deceiving hundreds of employees at Crypto who were never told what they were really doing or who the real owners were, even as they're making devices, even as they're traveling around the world selling what they believed to be secure machines."^[6]

The case of Hans Buehler is the most prominent example. Buehler was arrested in Iran, imprisoned for nine months, and interrogated about espionage activities of which he had no knowledge. After his release, Crypto AG fired him and attempted to recover the bail money from him personally.^[1] Mengia Caflisch, the mathematician who independently discovered the weakened algorithms, was hired despite the CIA's objections and spent years at the company unaware of its true ownership.^[6]

The operation posed fundamental questions about Swiss neutrality, a principle enshrined in international law since the Congress of Vienna in 1815. A 2022 paper published in the International Journal of Legal Information by Cambridge University Press examined whether Switzerland's complicity in Operation Rubicon violated its duties under the law of neutrality. The author concluded that while a direct violation was "unlikely", the possibility could not be "completely ruled out" in cases where Crypto AG exported rigged devices or offered maintenance services during or immediately preceding armed conflicts between its customers.^[112]

The Swiss parliamentary audit committee (GPDel), in its November 2020 report, found that the Swiss intelligence service (SND) had known of the operation since autumn 1993 and had itself sought to exploit the knowledge of weakened algorithms. The GPDel concluded that the Swiss authorities "share responsibility for the activities of Crypto AG" and criticised the destruction of classified files between 2011 and 2014.^[3]

Several commentators and scholars have drawn a direct line from the Crypto AG operation to the digital mass surveillance programmes revealed by Edward Snowden in 2013. Greg Miller of the Washington Post wrote that "the Snowden documents tell us a lot about how they did that" and that "instead of working through this company in Switzerland, they turned their sights to companies like Google and Apple and Microsoft and found ways to exploit their global penetration."^[6] The Quint observed that "Crypto AG's reach and duration help to explain how the United States developed an insatiable appetite for global surveillance."^[99]

Cryptographer Bruce Schneier noted on the day of the revelations that the operation demonstrated a pattern of behaviour: "this is a big deal. It shows that the U.S. and its allies had been eavesdropping on the secret communications of many countries for decades."^[15]

Not all assessments of the operation have been negative. Bernd Schmidbauer, the former Minister of State in the German Chancellery under Helmut Kohl who confirmed the operation to ZDF in 2020, defended it by claiming that it "helped make the world a little safer and more peaceful."^[111] The leaked CIA history itself characterises the programme as an unqualified triumph: "foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries."^[30]

• Crypto AG
• Operation Rubicon
• William F. Friedman
• Maximator alliance
• Operation Condor
• Five Eyes
• Signals intelligence
• Hans Buehler
• Falklands War
• Iran hostage crisis
• Camp David Accords
• West Berlin discotheque bombing
• Iran-Iraq War
• Snowden revelations

• Miller, Greg (11 February 2020). "'The intelligence coup of the century'". The Washington Post. Primary investigation.
• Miller, Greg; Mueller, Robert (15 February 2020). "Compromised encryption machines gave CIA window into major human rights abuses in South America". The Washington Post. Follow-up on Operation Condor.
• Dymydiuk, Jason (2020). "RUBICON and Revelation: The Curious Robustness of the 'Secret' CIA-BND operation with Crypto AG". Intelligence and National Security. 35 (5): 641–658. doi:10.1080/02684527.2020.1774853. Academic analysis (Warwick).
• Jacobs, Bart (2020). "Maximator: European signals intelligence cooperation, from a Dutch perspective". Intelligence and National Security. 35 (5): 659–668. doi:10.1080/02684527.2020.1743538. hdl:2066/221037. First public disclosure of Maximator.
• Dobson, Melina (2020). "Operation Rubicon: Germany as an Intelligence 'Great Power'?". Intelligence and National Security. 35 (5): 608–622. German dimension.
• Brustolin, Vitelio (2020). "Exploring the relationship between Crypto AG and the CIA in the use of rigged encryption machines for espionage in Brazil". Cambridge Review of International Affairs. 36 (1). doi:10.1080/09557571.2020.1842328. Brazilian dimension.
• "The CIA's 'Minerva' Secret". National Security Archive. George Washington University. 11 February 2020. Declassified documents.
• "Hagelin and Friedman: The Gentlemen's Understanding". National Security Archive. George Washington University. 19 February 2020. Friedman documents.
• "The report of a Swiss investigation into the case of Crypto AG". Electrospaces.net. 30 December 2020. Analysis of GPDel report.
• "Operation RUBICON: An Assessment With Regard to Switzerland's Duties Under the Law of Neutrality". International Journal of Legal Information. Cambridge University Press. 2022. Legal analysis of Swiss neutrality.

• Operation Rubikon at ZDF (in German)
• Weltpolitik mit manipulierten Chiffriergeräten at SRF (in German)
• The CIA's 'Minerva' Secret at the National Security Archive
• Operation Rubicon at the Crypto Museum