The revelation, described in a CIA report as “the intelligence coup of the century,” has been reported for the first time in a joint investigation from The Washington Post and German broadcaster ZDF.

The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.

The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets.

The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history.

“It was the intelligence coup of the century,” the CIA report concludes. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”

From 1970 on, the CIA and its code-breaking sibling, the National Security Agency, controlled nearly every aspect of Crypto’s operations — presiding with their German partners over hiring decisions, designing its technology, sabotaging its algorithms and directing its sales targets.

Then, the U.S. and West German spies sat back and listened.

The program had limits. America’s main adversaries, including the Soviet Union and China, were never Crypto customers. Their well-founded suspicions of the company’s ties to the West shielded them from exposure, although the CIA history suggests that U.S. spies learned a great deal by monitoring other countries’ interactions with Moscow and Beijing.

There were also security breaches that put Crypto under clouds of suspicion. Documents released in the 1970s showed extensive — and incriminating — correspondence between an NSA pioneer and Crypto’s founder. Foreign targets were tipped off by the careless statements of public officials including President Ronald Reagan. And the 1992 arrest of a Crypto salesman in Iran, who did not realize he was selling rigged equipment, triggered a devastating “storm of publicity,” according to the CIA history.

But the true extent of the company’s relationship with the CIA and its German counterpart was until now never revealed.

The German spy agency, the BND, came to believe the risk of exposure was too great and left the operation in the early 1990s. But the CIA bought the Germans’ stake and simply kept going, wringing Crypto for all its espionage worth until 2018, when the agency sold off the company’s assets, according to current and former officials.

The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.

Even so, the Crypto operation is relevant to modern espionage. Its reach and duration help to explain how the United States developed an insatiable appetite for global surveillance that was exposed in 2013 by Edward Snowden. There are also echoes of Crypto in the suspicions swirling around modern companies with alleged links to foreign governments, including the Russian anti-virus firm Kaspersky, a texting app tied to the United Arab Emirates and the Chinese telecommunications giant Huawei.

Spies often use businesses as cover

ESPIONAGE AND business have long been entangled. In “Live and Let Die”, Ian Fleming’s second novel, James Bond masquerades as a businessman working for Universal Export, a flimsy front company for MI6 that occupies a “big, grey building near Regent’s Park”. In “On Her Majesty’s Secret Service”, published almost a decade later, the game is up. “As cover, solid cover, Universal was ‘brûlé’ with the pros”, rues Bond. “It had been in use too long. All the secret services in the world had penetrated it by now. Obviously Blofeld knew all about it.”

Ernst Blofeld, head of Spectre, a global criminal syndicate - a man in need of secret communications - would doubtless also have been wise to Crypto AG, a Swiss company that rose to dominate the global market for cipher machines after the second world war.

By the 1990s it was apparent that the firm was in bed with the National Security Agency (NSA), America’s eavesdroppers. The truth, it turns out, was even more remarkable. From 1970 to the 2000s, at least, Crypto AG was wholly owned by the CIA and, until 1993, the BND, Germany’s spy agency, according to the Washington Post. “It was the intelligence coup of the century,” crowed a CIA report. “Foreign governments were paying good money…for the privilege of having their most secret communications read.”

Rumours that the Zug based company Crypto had links to the secret services had always existed. But now documents from the CIA and the German Federal Intelligence Service BND prove it: For decades, the two secret services were using manipulated encryption devices from the Swiss company Crypto for worldwide eavesdropping. The scale is enormous: more than one hundred states were bugged by the CIA and the BND. Hundreds of thousands of secret messages between government agencies, authorities, embassies or military agencies were systematically intercepted.

Crackable devices sold as safe

In 1970, the West German BND and the CIA bought equal shares in the company Crypto AG –under cover of a foundation in Liechtenstein. Previously, the organisations had collaborated informally, but with the purchase of the company, the secret services now had complete control.

Crypto AG was the market leader for encryption devices –machines that are supposed to encrypt secret communications to prevent their being intercepted.As Bruno von Ah, a former employee of Crypto AG, told the «Rundschau»: ‘At some point, my manager and I noticed that the devices had a built-in back door.’

For decades, Crypto AG built two forms of encryption into their devices: a safe one and one that wasunsafe, i.e. that could be cracked. Only a few countries, including Switzerland, received the safe version.

‘Operation Rubikon’

In the approximately 280 pages of the secret service dossier, the so-called ’Operation Rubikon’ is described as ‘One of the most successful intelligence operations of the post-war period’.

In the assessment of Professor Richard Aldrich of Warwick University: “Operation Rubikon was one of the boldest and most scandalous operations ever, with over a hundred states paying billions ofdollars to have their state secrets stolen.”Crypto AG supplied devices to countries all over the world, including Saudi Arabia, Argentina, Iraq, Egypt, Brasil and Iran.

The company operated from Switzerland, which was considered neutral –this being an important selling point during the Cold War and the Middle East conflict. The USA in particular exploited this politically. Its ability to eavesdrop on other countries gave the USA an enormous advantage in negotiations or in strategic warfare.

The Crypto devices played an essential role in the Camp David negotiations in 1979, in the negotiations over the American hostages in Iran in 1981 and in the USA’s invasion of Panama in 1989. The documents also prove for the first time that the BND and the CIA had early information on the serious violations of human rights by the Argentine military junta.

The decrypted radio communications of the Argentine Navy, transmitted by Germans and Americans, contributed decisively to Britain's victory in the Falklands War in 1982.The German intelligence expert Erich Schmidt-Eenboom spoke of it to the «Rundschau» as an ‘extraordinarily important operation’. At some periods, at least 50, if not 70 percent of the intelligence gathered by the CIA and the BND would have been attributable to the manipulated Crypto devices.

The operation ran until at least 2018 

The BND decided to pull out of the operation in 1993. Its withdrawal was negotiated by Bernd Schmidbauer, who had responsibility for the BND in the Federal Chancellery. Schmidbauer confirmed the research findings, saying: “The operation certainly contributed to making the world a bit safer.”

Meanwhile, the CIA kept its shares in the company and continued the operation until at least 2018. This is confirmed by several sources.

Were the Swiss secret services and politicians in the loop?

The documents show clearly that the Swiss secret services were aware of the CIA and BND operation: ‘The federal police (the Swiss equivalent of the American FBI) contacted Swiss military intelligence.

Certain high officials in the organization were generally aware of the German and American role in Crypto AG, and took a hand in protecting that relationship.’

Research by the «Rundschau»confirms: Staff of the Swiss intelligence services knew what was going on. However, those suspected of involvement at the time were not willing to comment or denied any knowledge of the operation.There is also evidence that ‘key government officials’ knew about the operation.

Department of Economic Affairs suspended general export licence

In 2018, Crypto AG split into a Swiss concern with the new name of CyOne Security and an international arm. This ‘Crypto International’ now belongs to the Swede Andreas Linde. He told the «Rundschau»: “Crypto International and I have nothing to do with the CIA or the BND.”

He said that the company was a completely different entity from the former Crypto AG: “With a new owner, a new management and a new strategy.”The Chairman of the CyOne Security Board, Peter Letter, made a statement to the «Rundschau»: “I can confirm that we have no links nor any relationship with foreign intelligence agencies.”

He said that CyOne Security AG was completely independent of the former company, Crypto AG.Nevertheless, in mid-December 2019, alarmed by the «Rundschau»’s discoveries, the Federal Councillor in the Swiss Federal Department of Economic Affairs, Guy Parmelin decided to suspend the general export licence of the company ‘Crypto International’.

The Department for Commerce confirmed the suspension to the «Rundschau», saying that it would be in force ‘until the open questions were cleared up’.The Swiss Federal Council reacted to the «Rundschau»research by setting up an investigation.

According to the lead Department, the Federal Department of Defence,the events surrounding Crypto AG are difficult to reconstruct and interpret today: ‘For this reason, the Federal Council decided on 15 January 2020 to appoint Niklaus Oberholzer, who served until the end of 2019 as a Swiss Federal judge, to investigate the case and clarify the facts.’ Oberholzer is to report back to the Federal Department of Defence by the end of June.