Gentleman's Agreement →
The secret purchase of Crypto AG by BND and CIA
THESAURUS 1 (later: RUBICON), was a secret operation of the
German Bundesnachrichtendienst (BND)
US Central Intelligence Agency (CIA),
to purchase the Swiss crypto manufacturer
Crypto AG (Hagelin)
— codenamed MINERVA —
in order to control the company, its algorithms and
– indirectly – its customers.
From 12 June 1970 2 onwards, Crypto AG was jointly owned by
BND, each with 50% of the shares, and from
30 June 1994 exclusively by the CIA
It was already known from the so-called
Friedman Collection – that was
partially released by the NSA in 2014 – that some kind of
existed between the NSA
and Crypto AG annex
probably resulting from their cooperation
But as the released documents were heavily redacted, much of the
remained clouded .
In February 2020, Peter F. Müller and Ulrich Stoll with David Ridd from the
German television station ZDF,
Greg Miller from the American newspaper
The Washington Post,
and Fiona Enders and Nicole Vögele from Swiss television (SRF) program Rundschau,
were able to fill in the gaps in the
and much more, based on internal CIA
and BND documents which they obtained.
Working with historians Erich Schmidt-Eenboom and Professor Richard Aldrich
on an investigation which lasted more than two years, they revealed that
had been owned by the Central Intelligence Agency (CIA)
and the Bundesnachrichtendienst (BND) since 1970.
Together with Huub Jaspers from the Dutch investigative
(VPRO) radio program Argos,
Crypto Museum's Paul Reuvers and Marc Simons
took part in the investigation and were able to advise on technical matters.
Discover how CIA
turned Crypto AG from a simple denial operation
into an active measures operation.
Learn which roles were played by the
Deutsche Treuhand Gesellschaft (KPMG),
a Liechtenstein law firm,
and Swedish intelligence.
The following story is about — in the words of the CIA —
The Intelligence Coup of the Century.
In the story below we have used cryptonyms for living people that we do not wish
to expose. Cryptonyms, such as MINERVA, are always written in upper case.
However, if people have already appeared in publications before,
or have given their consent, or if their
name is unambiguous, we have used their real names.
Organisations and companies are all referred to by their real names.
➤ Start reading
The Greek word THESAURUS means 'treasury'. In 1987 it was renamed
RUBICON (point of no return).
The official sale was on 4 June 1970, but on 12 June, 50% of the shares
were transferred to the CIA.
Contents of this page
Paul Reuvers and Marc Simons, 19 March 2020
Boris Casear Wilhelm Hagelin (2 July 1892 - 7 September 1983) was a
Russia-born Swedish engineer, inventor of
cipher machines and businessman.
In 1925 he developed his
first cipher machine,
whilst working with Arvid Gerhard Damm
at A.B. Cryptograph
in Stockholm (Sweden),
of which his father, Karl Wilhelm Hagelin, and the Nobel family
were investors. Hagelin eventually became
one of the largest and most successful manufacturers of cipher
machines: Crypto AG.
Hagelin was born on 2 July 1892 in Adschikent, a small town near Baku in
Azerbaijan, then part of the Russian Empire.
He was the son of a wealthy Swedish industrialist, Karl Wilhelm
Hagelin (KW), who managed the Baku oil fields for the Nobel family.
As KW was a personal friend of Emanuel Nobel, it was assumed that
Boris would someday take over management of the Nobel oil interests.
After an initial education in Russia, Boris was sent to Sweden, where
he graduated from the Royal Technical University in Stockholm in 1914,
with a degree in mechanical engineering. After his graduation he entered
service with ASEA – the Swedish General Electric – to apprentice for his
presumed role in the Nobel enterprises,
but the Russian Revolution of 1917 intervened and Boris would never
return to the Nobel oil fields.
After spending a year in the United States, Boris returned to Sweden
in 1922, where Emanuel Nobel employed him at
a small company set up in 1916 to exploit the cryptographic ideas
of the eccentric Arvid G. Damm. 1
Apart from a womanizer, Damm
was also a mechanical genius.
He had developed a rotor-based machine, the B-1, of which the
prototype was ready in October 1919. Two B-1 machines were later built
and tested by the Swedish PTT. From this, he developed a two-rotor machine,
B-13, 2 of which 20 units were built in France.
In 1925, Boris Hagelin became the general manager of the company and
in 1928, when the Swedish General Staff was looking for a new cipher machine
that could compete with the
German Zählwerk Enigma A28,
he took Damm's B-13 and added two of his (now) famous pin-wheels
to control the stepping of the rotors. It became known as the
In 1930, AB Cryptograph
was liquidated and Hagelin transferred the assets
to his new company Ingeniörsfirman Teknik. 2 He did not make much money until,
in 1934, they received an order from the French Army for an electrical
version of the B-21 with built-in printer.
It became known as the the B-211.
In the following year he also successfully developed a portable machine for the
French Army — the C-35 —
followed by the
that would form the base for his later designs.
➤ More about Boris Hagelin
It is often assumed that AB Cryptograph
was owned by Arvid Gerhard Damm,
but this appears not to be the case. The company was owned by Emanuel
Nobel and – like Boris Hagelin – Damm was just an employee.
Renamed AB Cryptoteknik in 1939.
William 1 Friedman was born in 1891 in Kishinev (Moldovia), then part of the
His father, Frederic Friedman, was the son of a Romanian Jew from Bucharest,
who worked at
the Tsarist post office as a translator. His mother was the daughter of a
successful wine merchant.
Barely a year after William was born, the family fled the country to escape
the pogroms. The family emigrated to the United States and ended up in
Pittsburgh, where William's father became a door-to-door salesman of
Singer sewing machines. But with the fluctuating economy of
western Pennsylvania, the Friedmans struggled to stay afloat
and were always short on cash.
William turned out to be a gifted student and in 1909, following high school,
he entered Cornell University as a genetics major. Six years later, in 1915, he was still
in graduate school when the department chairman received a request from
George Fabyan, a rich cotton merchant from Chicago. Fabiyan had established
a research institute by the name of Riverbanks,
in Geneva (Illinois, US) and was looking for bright students.
Genetics was one of the research fields at Riverbanks Laboratories
and Friedman became head of the Department of Genetics.
Another research field of the lab, was code and ciphers.
and it is in that department that he met his future wife Elizebeth Smith.
Soon after the outbreak of World War I (WWI), Friedman entered service and soon
became a renowned expert in codebreaking.
His first acquintance with
Hagelin cipher machines
was in 1927 when he visited the factory in Sweden.
➤ More about William Friedman
William Friedman was initially born Wolf Friedman, but three years after
emigrating to the United States, his first name was changed to William.
In 1935, the US Army was looking for a device
that could replace the aging M-94,
a hand cipher that had been around since
the days of Thomas Jefferson.
The M-94 pocket cipher
was easy to break, and the US Army wanted something more
secure, that was suitable for tactical messages.
Friedman's organisation – known as
the Signals Intelligence Service (SIS) –
was given the task to find a replacement for the
was well aware of Hagelin's machines, but disliked them. Although
they were theoretically safe, they could be set up in such a way
that they became highly insecure, making them easy to break.
In 1937, Friedman
and Hagelin met for the first time, when the latter
was touring the United States with his
C-36 cipher machine. They
hit it off immediately — they shared several interests —
and would stay in touch for the next 30 years.
In 1939, Hagelin was again in the United States, trying to sell
the latest version of his C-36
cipher machine to the US Army. The machine was demonstrated
to Friedman, who liked it but still found it too insecure when
used improperly. So, Hagelin went back to Sweden to improve the machine.
In April 1940, Germany invaded Norway, whilst the improved machine
wasn't ready yet. Fearing for the future in Sweden, Hagelin persuaded
the Swedish Government to make him an official courier, and left the
country with his wife Annie.
On 10 May 1940, following a distressful journey through war-torn Europe,
they finally reached Italy, where they boarded the Conte de Savoia;
the last ship that would sail to the United States.
In his luggage were two dismantled
and the engineering drawings. After several days, they arrived safely
in New York.
The rest is history. Hagelin finished the design and
sold the rights to the US Government for no less than US$ 8,614,790
using a French banker – James Paulding – and an American Wall Street
broker – Stuart Hedden – as feduciaries. 1 The new machine,
would become the workhorse of the US Army.
By the end of the war, no less then 140,000 had been built
at Smith & Corona in Syracuse (New York).
It made Hagelin the first crypto millionaire in the world.
Hagelin wanted the royalties to be described as 'capital gains'
which were not taxed in Sweden. Instead he payed 25% income tax
in the US. His gross proceeds were US$ 2.8 million (netting at
US$ 1.8 million). Pauling received US$ 430,000
and Hedden US$ 140,000. Smith & Corona made a profit of
US$ 5 million.
WWII was coming to an end. As soon as it was safe, Hagelin moved back to
Sweden, where he arrived in the fall of 1944. He reopened his factory and
had great expectations of future sales. But the post-war market was small
and poor, and sales kept dropping. In 1947, he sold just 54
machines. The high days of the war were clearly over and Hagelin went into
a depression. 1
Over the years he often considered closing the company's doors.
Only his intrinsic interest in cryptographic machines and his personal
wealth kept the company afloat during these lean years.
Hagelin had bouts of depression, which afflicted him
throughout his life.
Despite depressions and low sales figures, Hagelin continued to improve
his machines, and kept Friedman informed of any improvements and changes.
In the autumn of 1946 – following a visit of Hagelin to Washington
– Friedman paid his first visit to the Hagelin factory in Sweden since 1937.
He was anxious to learn the details of the announced CX-machines which,
according to Hagelin, would feature irregular stepping.
In his report about the visit ,
... it is clear that if he continues to improve his machines and make them
technically more secure, we shall sooner or later be faced with greatly
increased difficulties in continuing past successes in the solution of
In the following years, the relationship between Hagelin and the SIS –
by then dissolved into the AFSA – turned out to be troublesome.
In 1951, AFSA placed
a secrecy order on one of Hagelin's patents, and on top of that,
surplus M-209 machines
– the machine that had brought Hagelin's initial fortune during WWII –
were flooding the market, thereby effectively killing Hagelin's sales.
This was a clear violation of the wartime contract between Boris Hagelin and
the US Government.
Friedman chased the surplus sales as best he could,
but could not prevent large quantities being sold on the international
market. The problem with the
surplus M-209 machines
would not go away, and would return several times in the following years.
In fact, AFSA used it, to maintain its grip on Hagelin. If Hagelin would
not comply, they might release M-209 machines on market.
The Gentleman's Agreement
In the years following WWII, the US and UK were able to read the high-level
cipher systems of most countries (even allies), businesses and diplomatic
missions – with very few exceptions – whilst their own systems were
This changed in 1948, when the Russians changed all their systems,
and provided these to North Korea al well. In 1950, North Korea attacked
South Korea, and the US was unable to read their traffic for the remainder of
the Korean conflict.
Despite this setback, the rest of the world was still
readable, 1 as most countries used
realised that this would be over as soon as Hagelin introduced his new
CX-machines. It was clear, that
a deal should be made with Hagelin to prevent this from happening.
In January 1950, Hagelin was invited to Washington.
He had hoped to get a large order from the US Army,
but upon his arrival it became clear that the Americans
were about to introduce a new machine for NATO:
There were no plans to buy Hagelin equipment.
According to AFSA, his equipment was too strong to be broken,
but not strong enough for American use.
It is at this meeting, that Friedman made his first proposal to Hagelin.
He suggested that Hagelin would only sell readable equipment, and that
the worldwide sales of the new
would be controlled by the CIA.
In return, Hagelin would be compensated for this, and would move to the US with
his family, but remain a consultant for the CIA
for at least two years. Summarising:
- Hagelin will only sell readable machines
- The CIA will control the sales of secure CX-machines
- Hagelin will receive compensation (a lump sum of US$ 700,000) 2
- The Hagelin family will move to the US
- The CIA will accomodate the move of Bo Hagelin (Boris' son) to the US
- Hagelin's daughter will get a visa for her husband (who is a Turk)
- Hagelin will receive US 600 per month for consultancy
Friedman created a draft agreement and presented it to the
United States Communications Intelligence Board (USCIB)
and the AFSA Committee (AFSAC),
but despite Friedman's apocalyptic prospect
— we will be blind within a few years —
AFSAC turned it down as they did not trust Hagelin.
In June 1951, Friedman tried again with a revised proposal,
but it too was turned down.
In the meantime, Hagelin went back to Sweden and acted as if a deal
with AFSA/CIA had
been struck. He kept providing AFSA with details of his cumstomers,
and kept Friedman informed about the development of the new CX-machine.
In 1952, he even sent a nearly-completed
to Friedman for evaluation, something he wouldn't even have done for his
most valued customer. It became clear that the CX machine would
be difficult to break. Its interchangeable pinwheels and irregular
stepping defeated all existing methods for solving Hagelin machines.
The necessity for a deal with Hagelin remained, and the negotiations were
reopend several times in the following years, as and when there was
a pressing need.
Although the deal was never put in writing, it is clear that a
of some sort existed between Boris Hagelin and
the AFSA — meanwhile transformed into the newly founded
National Security Agency (NSA).
The deal was reviewed in 1953 — authorised by the first DIRNSA
Ralph Canine — and again in 1955 and in 1957,
and Friedman would always play an important role in the negotiations.
As part of the 1953 negotiations, it was agreed that,
as and when Hagelin was ready to retire and wanted to sell his company,
the US would have the first right of refusal.
Should the US decide not to buy, they could approve (or disapprove)
any potential buyer. Again, this was not put in writing.
At the same meeting, Hagelin suggested that NSA could develop the
cryptologic of the
➤ More about The Gentleman's Agreement
In this context, readable means that the cryptographic algorithms
could be broken by NSA.
Also known as friendly. In contrast:
algorithms that are not breakable by NSA,
are called unfriendly, unreadable or secure.
This was negotiated by Stu Hedden, Hagelin's representative in the US,
who would get US$ 250,000 of it.
In the meantime, Hagelin increasingly grew irritated by the restrictive laws
and high tax burden in Sweden.
It was his intention to sell machines to countries like
Indonesia, Turkey and Egypt, but the
Swedish intelligence service FRA
did not approve them.
After a short business escapade in 1949 with
Dr. Edgar Gretener in Switzerland —
they jointly developed the TKG-35 —
he decided to move his business there.
It would bring him closer to the action with fewer export restrictions.
In 1948, Hagelin had bought a villa in Zug (Switzerland) to which
he had moved with his family prior to starting the cooperation with
Dr. Edgar Gretener.
The joint venture with Gretener
did not last, and was terminated in less than a year.
Hagelin then started developing new machines from
his house in Zug, using two engineers: Lindmark – the primary engineer
of the Stockholm factory – and
– Gretener's main engineer – whom he had been able to lure away.
For the time being, new machines, like the
were developed in Switzerland and manufactured in Sweden.
In 1952, Crypto AG was officially opened, with
and his wife Emmy as the first two employees.
Over the next couple of years, additonal buildings were added and in 1956
Sture Nyberg moved with his family from Stockholm to Sweden to become
the new plant manager in Zug.
In 1958, the old AB Cryptoteknik in Sweden was officially liquidated.
In the following years, business went well for Crypto AG. The new
was well-received and sales figures were on the rise.
Boris's son – Bo Hagelin jr. – would soon move the USA to handle sales
in North and South America. By 1966, the premises in Zug would have become too small.
The legal construction in 1952
In 1950, before the launch of Crypto AG, a complex
company ownership structure was created, to avoid (or evade) the most
burdensome taxes. The diagram below shows how this was done.
The new Swiss company Crypto AG
was owned by a holding in tax paradise Principalty Liechtenstein,
under the name Anstalt Europaeische Handelsgesellschaft (AEH),
the legal owner of which was initially Anstalt Domar, a legal
entity of the Liechtenstein law firm Marxer and Goop.
Ownership was in bearer shares,
which were transferred, immediately after creation, to Hagelin's
Nymphen Stiftung, using a so-called Blanko Zession (blank form),
a creation of Marxer and Goop that would hide the actual ownership.
The public would think that the owner of AEH was Anstalt Domar, but in
reality the shares had been transferred. Any questions about the
ownership, would be deflected by Marxer and Goop who, being
a law firm, did not discuss the affairs of its clients.
When Hagelin opened
Crypto AG in 1952, he was already 60 years old.
He had planned to retire in 1957, when he reached the age of 65, and leave
the company to his son Bo, but history would decide otherwise.
In 1955, after a
visit to Hagelin's factory in Zug,
suffered a heart attack. He retired in August of that year and Hagelin lost
his valued friend and prime NSA contact.
The relationship between Boris and Bo
deteriorated. Bo appeared to be
homesick and his new American wife was not liked by the Hagelin family.
Furthermore he was spending far too much money.
The situation was worsened by a dispute over the new
CD-55 pocket cipher machine,
of which both Hagelin's claimed the invention.
Hagelin fell out with his new NSA contact, Dr. Shinn, and
in 1957, Bill Friedman
had to be recalled from retirement to
reopen the negotiations.
At several moments in time, Hagelin had contemplated selling his company.
He had established a good working relationship with
Siemens in Germany,
he was tired of the
relationship with his son Bo
and, more importantly, he was tired of the restrictions imposed by the Americans,
the French and probably also the Swedes.
In the meantime, stocks of the new
kept piling up,
to the point were, in 1957, he decided to covertly start selling
the machines to denied countries:
This was the year in which he had intended to retire, and on
Friedman's visit to Zug in September 1957,
he told him that he had two options:
(1) handover management of the company to
his son Bo, or (2) sell out to
Siemens, neither of which was
Friedman reminded him of a third option, discussed during the 1953
and 1955 negotiations: sell out to the Americans.
Although Hagelin initially rejected the idea,
he later asked Friedman to broach it with American authorities.
Friedman wasted no time and immediately wrote a proposal, but the idea
met with fierce opposition within NSA. It wasn't worth the risk
and there were good prospects for breaking (at least some of)
the CX-traffic anyway.
Friedman crusaded for months, but John Samford – the new DIRNSA who
had taken over from Ralph Canine in late 1956 – was not very fond of him.
Licencing agreement with CIA
In Washington, the matter was discussed between the NSA
and the CIA,
and negotiations about 'The Hagelin Problem' were started.
But then, in May 1958, NSA abruptly opted out and turned all
its files over to the CIA, where the matter was handled directly
by Director Allen Dulles, DDP Richard Bissell and General Councel
The NSA – and therefore also
were no longer in the loop. Friedman made one final official trip to
Switzerland, on 8 June 1958, to explain matters to Hagelin and to introduce
him to the new CIA negotiator: John Ferguson.
John Ferguson was an American lawyer who lived in Paris (France).
He quickly put a deal together, in which the CIA would covertly purchase
the company for US$ 2,000,000, with annual payments of US$ 50,000 for at
least five years. The money would be channeled to Boris Hagelin through a
Swiss company that had been setup for this purpose —
Pan European Corporation (PEC).
A German entrepreneur, Eric Warburg, was hired to setup an overt company
that would act as the ostensible owner, although in reality, PEC
would be the owner. Boris Hagelin would effectively retire and receive an
annual fee for consultancy. Despite the NSA's earlier objections, they
agreed with the purchase (although they had opted out,
the CIA still needed its consent).
After the deal would be signed, both Hagelin
and Friedman would be out of the picture,
and Sture Nyberg – whom Hagelin preferred over his son Bo –
would become the new managing director.
But it was not to be. In mid-1959, accountants concluded that the firm's
value was less than the anticipated US$ 2,000,000, and that new calculations
had to be made. In addition, NSA — where the pros and cons were
equally divided — again opted out of the purchase on 6 October 1959.
In the end, the CIA went for
a simpler solution: a licencing agreement, in which Hagelin remained the
owner, but sales to certain listed countries were prohibited. Basically the
same as the original Gentleman's Agreement,
but in writing. Hagelin could sell anything to all NATO countries plus
Switzerland and Sweden, and the rest was subject to a chart that was
attached to the agreement.
Eric Warburg was no longer needed, but PEC was kept to allow money to be
channeled to Hagelin.
Hagelin would get US$ 600,000 as compensation
for lost sales, plus an annual fee of US$ 75,000 for consultancy
for as long as the agreement lasted, which was at least 5 years with
an automatic renewals for one year (after 1965). After 1975,
the renewals would require the consent of both parties.
On 10 November 1960, after numerous objections by the NSA, the licencing
agreement between Hagelin
and the CIA was finally signed.
The project was given the cryptonym SPARTAN.
The start of the SPARTAN program coincided with a dramatic increase
of sales at Crypto AG, as shown in the diagram above. By 1963, the
premises in Zug had become too small and a large new building was
erected in nearby Steinhausen. It was opened in 1966 and housed
Many of the new sales were in Latin America. Hagelin had always
assumed that these countries were not on the proscribed list,
but when in 1960 NSA admitted that they were very sensitive to
sales in that area, Hagelin stopped supplying secure machines
to these countries. He stopped advertising the
CX-52 below the
Mexican border, and managed to persuade Brazil — who had purchased
CX-52/RT machines 1
— to swap them for the exploitable (readable) CX-52-M-27.
In 1963, NSA requested a modification of the agreement, in order
to impose more stricter guidelines on equipment sales.
compensated Hagelin for the additional loss in sales,
in four installments, as shown in the diagram above. In addition,
the CIA payed US$ 10,000 per year for sales efforts into countries
that might be unprofitable, but which the NSA would like to see
using exploitable equipment. NSA
and CIA finally agreed to rewrite
the instruction manuals for the machines, so that different
customers would get a different understanding of secure operation. 2
By 1969, only Argentina was using a machine that was invulnerable to
cryptanalytic attack. It is unclear which machine this was, but
it seems likely that it was a
CX-52 or perhaps a
CX-52/RT — a
one-time tape machine (OTT)
— which is unbreable when used properly.
Crypto Museum can confirm that it has found such machines in
South American countries like Uruguay and Argentina.
RT or Random Tape machines, use the
One-Time Tape principle
and are theoretically unbreakable.
It had previously been arranged with NSA – as part of the
– that NSA would write the (manipulated) 'manuals for proper use',
but this had never happened.
The age of the shift-register
By the mid-1960s it became clear that the days of the mechanical
cipher machines would soon be over, and that electronic shift-registers
would be the way forward.
A shift-register — roughly the electronic equivalent of a cipher wheel —
is filled with random bits (the key) and then used to create a virtually
infinite random stream of bits – ones and zeros – in a seemingly random order.
The diagram above shows a simple 16-stage shift-register.
On each step, the contents are shifted to the left
by one position, producing an output bit at the left, and a vacant position
at the right. The vacant position is then filled by taking the bits from
carefully selected positions, and adding them together (modulo-2). This way,
complex tapping schemes and combined shift-register circuits can be used
to create complex Linear-Feedback Shift Registers (LFSR) — later also
Nonlinear-feedback shift registers (NLFSR) — resulting in
complex crypto algorithms .
In 1965, it was decided that Crypto AG should make the move to fully
electronic cipher machines based on shift-registers, as otherwise the
company would lose business to other – unreadable – manufacturers.
It would make the NSA's cryptanalytic problem much bigger,
but NSA's Peter Jenks figured out a way to make
a shift-register that looked random from the outside, but was in fact
exploitable. Dedicated machines for breaking shift-register algorithms would
have to be built, at some considerable cost on the part of the NSA,
but it would certainly be worth the effort.
Jenks first tried his idea on the existing
The machine could be set up in such a way that it produced a short cycle
length (period), which was easy to break.
Jenks 'improved' the cycle length, albeit with a predictable
pseudo-random motion that he could successfully attack.
Hagelin knew that this was the case, but kept his mouth shut, and
Crypto AG advertised it as the more secure
CX-52M variant, which customers
immediately started ordering in quantities.
The same could be done with shift-registers, but to make it work, the NSA would have
to design the cryptologic. And so it happened.
Crypto AG developed
its first electronic cipher machine
— designated H-460 —
and NSA developed the
cryptologic for it, which was ready in March 1965.
But at Crypto AG, the project than ran into trouble, as we will see in
one of the next chapters.
The licencing agreement passed its five-year point in 1965 without any
serious problems. By 1967, the SPARTAN program had exceeded the CIA's
and NSA's wildest expectations.
It had changed from a simple denial operation 1 into
a full active measures operation.
Not only did the CIA control
to which countries readable equipment was sold, but by designing
the cryptologic for the next generation of (electronic) machines,
NSA had provided a mechanism that allowed
insert exploitable machines anywhere in the world.
This was a completely unexpected bonus.
A denial operation is a theoretical framework, in which certain information
and/or techniques are kept from certain organisations or individuals. In
this context it means that certain secure (unreadable) cipher machines were
kept from certain countries.
The MINERVA purchase
The French connection
Although the relationship between Hagelin
and the CIA became closer by
the year, there were also threats. On 29 November 1966, Boris' wife Annie had died,
and CIA was afraid that he might soon retire. It would therefore be wise
to reconsider the agreement sooner rather than later.
But the French were about to throw a spanner in the works.
On a visit to Paris in early January 1967, Hagelin was approached by
André Mueller of the French cipher service, who wanted to buy
on behalf of the French and German governments. Mueller had spoken with
— the head of the German cryptanalytic service ZfCh —
who had given him the green light. Money was no object, and the US and
UK interests (NSA,
GCHQ) would be taken care of.
On 23 January 1967, an agitated
called his CIA case officer,
requesting an urgent meeting. He informed him about the French proposal.
CIA officials subsequently contacted Sture Nyberg – effectively
the managing director of Crypto AG – who confirmed that Dr. Wilhelm Göing,
Hüttenhain's deputy, had made the same offer two months earlier. It seems
likely that Hagelin had a side deal with the French, that dated back to the
sale of 5000 C-35 machines in 1936
The German approach
The American agencies CIA
and NSA had a good relationship with their
German partners, the
and the Zentralstelle für das Chiffrierwesen (ZfCh),
that dates back to the days following WWII.
In 1962, the NSA and the British
GCHQ had established a presence in Germany – the Combined Group Germany (CGG) –
but its role was limited to the exchange of intercepted traffic and product
reports. So, the CIA hestitated and hestitated.
Hagelin, who wanted the Americans' consent for a deal between the French and
Germans, also delayed. But in October 1967, during a visit to the ZfCh
in Bonn, Nyberg was informed by
Erich Hüttenhain that everything had been
settled. The Germans had the money and all arrangements had been made to
purchase the company from Hagelin for 25 to 30 million Swiss francs. 1
But it was not settled. The Americans had not been informed and Hagelin
was asked to broach the subject with the CIA himself.
He hesitated, as he knew the Americans wouldn't like it.
Nothing happened during 1968, but in early 1969, Hagelin began pressing
the Americans for a decision.
Shortly afterwards, Wilhelm Göing – who was about to become the next
head of ZfCh – flew to Washington with a proposal. It involved
the well-known German technology giant
who would become the apparent owner.
The purchase would be financed by French and German intelligence.
The question now was: were the Americans interested in becoming
partners as well?
The American decision
NSA liked the idea of bringing
Siemens in, but didn't want any
French involvement. In addition, they saw nothing more than a technical
role for NSA, so, in March 1969,
was informed that NSA was not interested.
Messages went back and forth between Germany and
the US. The CIA liked the idea of being able to supply controlled
cryptography to certain countries, but the NSA did not want any
involvement. It was suggested that the Germans should proceed on their own.
In September '69, Hagelin informed his CIA case officer that
(ZfCh) wanted to proceed with the purchase, which prompted the
NSA to reconsider its position. It agreed to work with the
CIA and the Germans,
to buy Crypto AG for US$ 7 million,
for an equal partnership with the German BND.
BND would each pay US$ 3.5 million,
and the French would be shut out.
by now firmly under control of BND – would
act as the ostensible owner. French and Swedish intelligence
services would be informed, but should think that
Siemens was the owner. 1
But there was one more hurdle to be taken. The BND was unable to
pull the necessary cash from its modest operating budget, and were
reluctant to inform the country's politicans about the clandestine deal.
So, it asked Siemens
to come up with the money and become a 50% owner.
But in December 1969, Siemens got cold feet
and backed out of the deal.
Luckily, when BND briefed the
Chancellor's intelligence coordinator,
the latter became estatic and raised the required cash.
The Swiss were not informed (to allow for plausible deniability). It was
assumed however, that they would be informed by Hagelin himself.
The actual sale was made on 4 June 1970, the day on which the shares
of the company were passed to the BND,
for a total amount of CHF 25 million (~ US$ 7 million).
And the agreement with
the CIA was contained in a memorandum of understanding of 12 June 1970.
To hide the actual ownership from public view, a
complex scheme of companies and fiduciaries was used.
Hagelin received his CHF 25 million in three installments: one with
the sale on 4 June 1970, and two further ones in the next
two years. He had remarried in 1969, and insisted that a pension be
provided for his wife Elsa 1 after his death.
were now the joint owners of Crypto AG.
Ownership of the company was in barer shares, that were deposited
in the Schweitzerische Kreditanstalt (now: Credit Suisse) under the name
of Deutsche Treuhand Union (DTU), a German feduciary. Originally there
were 3000 shares that BND had obtained from Hagelin, but this was
increased to 4500 in 1977 and to 6000 in 1978, probably to inject additional
capital for new developments.
DTU board members voted the majority
of the shares on behalf of the owners. 2
The new partners – BND
and CIA – decided to call their joint project
but changed it to RUBICON (point of no return) in 1987.
Crypto AG itself would be called
MINERVA. In order to establish or change the policy
of the company, the partners held periodic conferences in which the course
of action was determined. These were in fact covert board meetings.
Elsa Hagelin (née Svensson) had been the nurse of Hagelin's late wife Annie.
The names of the representatives are known, but we have chosen not to
had backed out, and did not become
the actual owner of the company, the BND required its cooperation.
It was decided that Siemens
would provide a so-called Beirat
– an external advisory board – that would assist Crypto AG with new
The BND could then influence designs and algorithms
Zentralstelle fur das Chiffrierwesen (ZfCh).
Furthermore, it was agreed that Siemens
would act as a legend, in case the actual ownership of the company
was ever questioned. Should it ever be necessary,
could pretend to be the owner, which was credible given the
fact that it provided assistence through the Beirat route.
The legal construction in 1970
The diagram below shows how it was done.
In a secret agreement of 1 June 1970,
the Bundesvermögensverwaltung (BVV), 1
transfered the money to the
Deutsche Treuhand Gesellschaft München (DTG-M) — today known as KPGM.
The Founder's Rights of AEH were sold for cash by Hagelin's
Nymphen Stiftung to DTG in a sales contract dated 2 June 1970.
The Nymphen Stiftung then transferred its Founder's Rights
to Anstalt Domar – Marxer and Goop's creation that acted as the
ostensible owner – who then issued a Blanko Zession 2
to DTG. These were the barer shares.
DTG passed the Blanko Zession on to the
BVV, which acted as a cover for the
The BVV then gave the Blanko Zession to the
This way, no one, not even the law firm Marxer and Goop
was aware that the BND was behind the deal.
DTG was the fiduciary and the ostensible owner as far as Marxer and Goop
And BVV was the owner as far
as DTG was concerned.
On 12 June 1970, in a memorandum of understanding, the BND transferred
half the shares to the CIA
so that no one, not even the
Deutsche Treuhandgesellschaft, was aware of any CIA involvement.
At the BND, the project was handled by the 4th Directorate, 3 under which the
German cipher authority ZfCh resided.
The ZfCh delivered input to
through its Beirat,
influenced the products and cipher algorithms of Crypto AG.
All under direct control of the German BND.
In the US, things were slightly more complicated. Although the CIA owned
50% of the company, codebreaking was the responsibility of the NSA, so
there had to be some level of cooperation between the two services.
NSA developed readable algorithms, which were then
passed by the cover company Intercom Associates
to Motorola, where they were implemented
in new products that they (Motorola) developed on behalf of Crypto AG.
All under indirect control of the CIA.
The Bundesvermögensverwaltung (BVV) is roughly the equivalent
of the American General Services Administration.
The BND frequently used (and uses) the BVV for secret and covert
Blanko Zession (blank form) was a creation of the Liechtenstein
law firm Marxer and Goop (later: Marxer and Partner), that was
used for Anstalten (institutions), rather than stock companies.
The Blanko Zession stated who the initial owner was, and had a
blank space for a potential new owner. In reality, the blank space
was never used and only the barer shares constituted
At the time of the sale, ZfCh was an independent body under
Directorate II of the BND, but in 1973 is was placed under
direct control of Directorate IV of the BND, which also
handled Project THESAURUS (RUBICON).
The new CAG-owners
and CIA – now had a grip on all products that were developed both externally
and internally. The diagram below shows how this was done. The BND could,
through the ZfCh,
who would then, through the
influence Crypto AG.
talked with the NSA, and both supplied experts for the cover company
which offered its expertise either directly to Crypto AG
or indirectly, through Motorola developments.
There are several accounts from former Crypto AG personnel
that the company had frequent visits from
Intercom Associates people, including
NSA's Nora Mackebee, who – in addition to the Beirat –
advised the developers on subjects like cryptographic algorithms
After the sale of Crypto AG had been completed in 1970,
took a step back and retired at the age of 78, thirteen years later
than anticipated. At the same time, Sture Nyberg, who had been the
plant manager for many years, became the new CEO. He had effectively
been running the company for the past 10 years anyway, and knew who
the real owners were.
Nyberg retired in 1975. He was a leftover from the Hagelin era
— he came from the factory in Stockholm —
and was clearly growing old.
He was replaced by Heinz Wagner,
a young up-and-coming manager who had been recruted from the ranks of
He had no experience with crypto whatsoever, but was
dynamic, charismatic, good looking and decicive.
When he walked into a room, all heads turned towards him.
After a technical training at the NSA in the fall of 1975, he assumed
command on 1 January 1976.
He would stay on for the next 13 years, and guide Crypto AG through
the most profitable and eventful years in the history of the company.
Although Boris Hagelin's
son Bo would originally have been the heir
to the throne, the entire deal with BND
and CIA was kept outside his view.
The relationship between the two Hagelins had declined so steeply
that they were barely on speaking terms. In 1962, Boris had even appointed
his plant manager Sture Nyberg as the trustee of his estate. Should he
(Boris) die before the company was sold, Nyberg would manage the sale
afterwards. Bo Hagelin was not informed.
The CIA didn't trust him either. Despite the help that he
had provided to the CIA over the years, Bo was seen by many as a
profit-oriented wild card. They were afraid that – once he discovered
the true nature of the deal – he might try to derail it or, worse,
expose the true owners of the company. But then in November 1970,
Bo was killed in a car accident – just five months after the
ownership of the company had been transferred – and CIA
no longer had to worry about him.
The partners began the relation with handicaps. First of all there
was a huge difference in style between the services of the two countries.
The BND was a military kind of organisation where everything
was orderly done by the book and efficiency was paramount,
whilst at the CIA the emphasis was on freedom of action and
personal initiative. The Germans were known for their attention
to detail, whilst the Americans were inclined to ask forgiveness
rather than permission.
There was also a huge difference in the available budget. With the
Americans, money never was an object and NSA has a vast array
of Cray supercomputers at its disposal. The Germans on the other
hand, were on a tight budget. They could not afford supercomputers
— at least not until 1985 — and had fewer staff for codebreaking.
They had to find other ways to achieve their goals.
In August 1970, NSA representatives visited the
factory in Zug, and noticed that it would become very difficult
to control the company and its algorithms.
Apparently, the engineers made improvements
and modifications for virtually any customer who asked.
They realised that Operation THESAURUS was not going to be an easy
ride, especially not with unwitting employees.
The H-460 debacle
In 1965 it had been decided that Crypto AG should make the
transistion from mechanical cipher machines to electronic ones.
This was before the MINERVA purchase,
during the days of the
CIA licencing agreement.
The NSA developed the
and CAG would develop the machine.
But the development met with obstacles and was delayed several times.
NSA developed the first version of a readable
delivered it to CAG in March 1965.
But CAG-engineers had virtually no
experience in developing electronics.
In fact, they barely had any developing skills at all, as in the days of
the mechanical machines, most of the design work had been done by
himself. The new machine — that was to be designated
gradually progressed over the next
couple of years and eventually, in 1970, it was thought to be ready for
When it was announced in 1970, the Italian Army promptly orderd 280 machines.
But when the first 82 units were delivered, there were so many
problems that they returned all of them.
The design was reviewed by the German cryptographic authority
Zentralstelle für das Chiffrierwesen (ZfCh),
who hired German technology giant Siemens
to partly redesign the machine and fix the technical
design flaws. The improved H-460x machine was eventually re-released in 1972.
Later that year, in November 1972, the issue of the H-460 would lead to
a conflict between the partners, when NSA refused to tell
ZfCh how to break the
of the H-460
or the T-450,
which was the teletype version.
NSA's Frank Raven did not want to discuss anything that predated the
The matter was partly cleared in the spring of 1973, when Raven finally allowed to
discuss the H-460
informally, as long as it was not documented.
The 500-series machines
Crypto AG engineers knew that the days of the mechanical
cipher machines were over and that a replacement was needed for
the ill-fated H-460.
They had been working on an electronic
shift-register-based cipher machine since 1970,
but by 1973 there still was no machine.
The partners decided to take over the project and produce a
readable machine that would be called HS-4700 1
NSA said it could design it six months,
but this turned out to be too optimistic.
In mid-1974 it was decided to bring
into the game. Motorola
was a technology giant – established in 1928 by Paul Galvin –
and was able to provide the microprocessor technology that the
project needed. CEO Bob Galvin was approached through
the CIA's cover Intercom Associates
and the situation was explained. 2
The basic machine had already been developed at Crypto AG.
only had to develop the cryptologic, which would be based on
a Motorola 6800 microprocessor in which the NSA-supplied algorithm
would be implemented in software.
The development was done by the Government Electronics Division of
Motorola in Phoenix.
It was agreed that Motorola could use
any of the technologies that emerged from the project, and that the
US Government would compensate for any losses made during the course
of the project.
According to the engineers, it was the first time
that an algorithm was implemented this way.
kept its promises and delivered the first prototypes in
September 1975, and CAG marketed the first 30 machines in early 1977.
Next, it was decided that a portable variant of the machine was needed,
similar to what the hand-held CD-57
had been in the mechanical era.
The partners were in a hurry, as competitor
Gretag had just announced
the small portable Gretacoder 905,
and wanted Crypto AG to be able to compete.
The partners decided that the new machine
– designated HC-520
– would be developed
by Siemens in München (Germany).
was an immediate hit, and became particularly popular in
South American counties like Argentina. Unfortunately, this could not be said about
The machine, which was partly designed at CAG
and partly by Motorola,
was too complicated to build and too expensive.
As a result, not many were ordered and Crypto AG's sales ran
into red figures. It was clear that a suitable replacement for the
desktop machine was needed as soon as possible.
came to the rescue. Jointly with
they had just developed
a cipher machine for NATO
– known as Aroflex
– based on its
Siemens marketed it as T-1000/CA.
They allowed the bare T-1000
to be also used as the basis for a new CAG machine, although
it competed with their own one. The new machine was called
and is shown on the right.
In some documents it is described as H-470 or H-4700
(later renamed HC-570).
They did not tell him that the BND and the
CIA actually owned the company, but they led him to believe
that Siemens was the owner and that CIA and
NSA provided the designs.
Part of the arrangement between CIA
and BND, was that intercepted
traffic would be freely shared between the partners. Each partner
was then responsible for its own codebreaking, but CIA never found
out how successful the Germans were.
sent copies of its intercepts to ZfCh, and that was it.
Apparently the output of the codebreaking work itself – the production –
was not shared.
In the US, NSA had a vast array of Cray supercomputers 1 at its disposal.
With suitable software, they managed to break significant
amounts of foreign messages. In Germany, codebreaking was the task
of ZfCh, but their budget was limited. Too limited for Cray computers.
Nevertheless they were just as successful as NSA,
by using clever optimised programming techniques, 2
but these were not shared with NSA.
Finally, in 1985, a Cray supercomputer also became available to ZfCh.
It was initially agreed that all NATO countries plus Sweden and
Switzerland were allowed to buy secure (unreadable) equipment from
However, as time progressed, more and more countries were taken off the
secure list, including Spain, Greece, Italy and Turkey.
It was clearly NSA's
policy to sell readable equipment to everyone.
Germany, on the other hand, supported the two-cryptologics 3
— the BND was opposed to selling readable equipment to its allies.
At the time, Seymour Crey developed the fastest computers in the world.
NSA bought its first line of Cray computers in 1968, and when Cray
later had its own firm, NSA became his largest customer.
According to ZfCh officer HANSEN, ZfCh used a programming technique
known as Hypothesenverfolgung (Hypothesis-Tracking) to break ciphers
without the need for a supercomputer .
This means that two version of the cryptologic were available:
readable and unreadable.
Operation Thesaurus was no doubt one of the most successful intelligence
projects ever. Crypto AG was at this point the preferred supplier to
80-90% of the world market for cipher equipment. As a result, the
diplomatic and military traffic of many third world countries
became readable, but also that of several European countries,
including Ireland, Italy, Portugal and Spain .
By 1977, NSA was reading about 57% of all its intercepted cipher
messages. It was estimated that, without the MINERVA production,
this would have been about 29%.
At the same time, Crypto AG's business was growing rapidly. From the
start of the operation, in 1970, the turnover had increased steadily,
and by 1975 it had more than tripled. And despite heavy
investments for the development of new
technologies, the forecasts were promising.
Despite the fact that the ill-fated
had been fixed and
re-released in 1972, its problems would haunt the company for several more
years. Customers kept complaining about the mechanical stability, and
there were complaints about the strength of the cryptologic.
By 1976, the Italians and Egyptians had discovered its weakness,
and demanded an explanation.
CEO Heinz Wagner fended it off with his usual charm. The machines were returned
to Crypto AG,
where an updated cryptologic
— unique for each customer —
was fitted, resulting in the addition of a single-digit suffix to the model number,
such as H-4603,
etc. Although the algorithm had been improved, the
machines were still readable by the NSA, albeit with more
cryptanalytic processing power.
➤ More about the H-460
was an online encryption device for teleprinter communications
that had been introduced in 1969, in the days before BND
and CIA owned the company. It had been developed in parallel with the
and featured a similar (weak) cryptologic.
In the autumn of 1978, the Egyptians started
complaining about it and demanded a solution.
At NSA, Dave Frasier developed a drop-in fix that made it more
secure – but still exploitable by NSA – albeit with more computing power.
In the meantime however, unwitting CAG-employee Jürg Spörndli,
had developed his own changes to the cryptologic,
that made the device completely impenetrable. But this was not wat
the NSA wanted, of course. The event led to an internal crisis at
Crypto AG, but in the end,
the NSA won the argument and their
modified (readable) cryptologic was delivered to the Egyptians.
➤ More about the T-450 crisis
In February 1979, less than two years after the introduction of the
CAG-employee Jürg Spörndli,
discovered that it was
possible to break the machine with just 100 characters of known
plaintext, probably after attending a seminar by American mathematician
Although theoretical, it proved that the cipher was prone to
a known plain-text attack (KPTA).
To Crypto AG it was bad news,
as the company couldn't afford another
debacle after the H-460 crisis.
In two years time, the HC-500 series
had become Crypto AG's flagship,
of which more than 1700 had already been sold worldwide.
The original algorithm had been developed by NSA's Peter Jenks,
and was intended to last for at least 20 years.
But CAG's Jürg Spörndli had
now exposed a weakness, which urgently needed to be fixed before customers
discovered it themselves.
At NSA, Dave Frasier designed a
drop-in fix that would defeat the known plaintext attack.
The revised algorithm was considerably more difficult to break by NSA
and ZfCh, but the effort was worth every penny.
For the HC-520,
the drop-in replacement consisted of three ROM chips that had to be
soldered onto the processor board,
in place of the existing ones, which
required the boards to be reworked by a skilled engineer. The image above
shows the replacement ROMs.
A few months later, mid-1979, Peter Jenks died of cancer
and Dave Frasier committed suicide.
In June 1979, the Argentine Navy discovered 1 the weakness themselves,
and demanded an immediate explanation. They summoned the CAG
CEO – Heinz Wagner – to Buenos Aires, and confronted him with it.
Wagner, afraid of being thrown off an airplane, 2
immediately offered the NSA-fix. They accepted it,
but what the Argentines really wanted, was the ability to
attack their neighbouring countries, and the promise that CAG would
not tell them about the vulnerability.
The CIA suspected that Peter Frutiger (see below) – a disaffected former employee –
might have tipped them off, but this was never proven.
This refers to the so-called death flights during the
Argentine Dirty War (1974-1983), in which dissidents and enemies
were dropped to their death from aircraft above the ocean.
In parallel with the Egyptian crisis,
a problem emerged with the
a bulk encryptor that had been co-developed with
ZfCh around 1967.
It contained a readable algorithm that had been
developed at ZfCh.
In late November 1978, during a visit to Belgrade (Yugoslavia)
two (unwitting) CAG people were shown a Yugoslav solution 1
to the machine. Shortly afterwards, in December 1978, two NSA people
flew to Frankfurt (Germany) with a suitable fix, but to their
surprise (and shock) they discovered that CAG engineers had already
provided their own fix to the customer.
And there were more problems — for example with Austria, Argentina and
South Africa — and they were all about the weakness of the
cryptographic algorithms. It was clear that more secure and sophisticated
crypto-algorithms were needed, but with the untimely death of the two most
important NSA cryptomathematicians – Peter Jenks and Dave Frasier –
this would not be easy.
In cryptanalysis, a solution means that the cipher can be broken.
Although CAG-personnel was unwitting about any BND/CIA involvement,
many of them became suspicious over the years. This was especially
the case with engineers and mathematicians, who developed proper
unreadable algorithms, and were then told by management that it had
to be replaced by an alternative algorithm, that came from an external party.
In most cases it was clear to the CAG-engineers that the alternative
algorithm was weaker than the one they had designed.
One example is Jürg Spörndli, the CAG-engineer who had fixed the weak
algorithm of the T-450
back in 1967, much against the will of the NSA. He
was also the person who had discovered that the
HC-500 machines were
vulnerable to a known plaintext attack.
Spörndli was suspicious of involvement of the intelligence
agencies and would frequently appear in the press in later years.
Another example was head of Crypto AG's
– Peter Frutiger – who is also listed as (co)inventor on several
Frutiger wanted the best for his customers and would always
try to fix a weak or broken algorithm if he deemed it necessary.
It caused CIA to find him disloyal.
In 1974, he fixed the algorithm of the
MCC-314 — a bulk encryptor —
after the Austrians and Yugoslavs had discovered a weakness that had
been inserted by ZfCh. And in late 1976,
NSA found out that he had also improved the
cryptologic of the rigged
CSE-280 voice encryptor.
The CSE-280 voice encryptor
was a true digital encryption device
(not a simple voice scrambler),
that was used by the Syrian Army. And when the Syrians discovered that
it had a weak cryptologic
– which had been inserted by ZfCh – Frutiger was only too willing to
replace it with a secure one.
But Syria was also a high-valued NSA target,
and now — with the Frutiger modification —
NSA was no longer able to read the Syrian traffic.
It caused Frutiger to get fired by CAG CEO Heinz Wager
on 10 March 1977
— much against the will of NSA
and CIA. 1
In the following years, he would hount Crypto AG like
a recurring bad dream, which could barely be fought off.
NSA was against firing Frutiger, as they believed a disaffected
employee could become very dangerous for the MINERVA secret.
They even tried to find him a different job (unknown to Frutiger),
but without success.
On 15 February 2020
, a few days after the revalation of Operation
RUBICON, Peter Frutiger gave an interview to NZZ am Sonntag, in which
he claims that he was fully witting of the project, and had actively
been cooperating with CIA
during his time at Crypto AG
He also claims that it was his own decision to leave Crypto AG
as he had
conscientious objections and no longer wanted to support the rigging of
the cipher machines 
In early 1978, shortly after R&D chief Peter Frutiger had been fired,
CEO Heinz Wagner hired Frau Dr. Mengia Caflisch. She was a bright young
engineer. But she was too bright, as far as NSA was concerned.
Soon after her arrival, she broke the new HC-500 cryptologic
– the one that NSA had just fixed –
and went on to expose weaknesses in other CAG products.
And it wasn't before long, that she began developing her own – unbreakable –
Caflisch developed the
HC-740 data encryptor,
which had an impenetrable
By the time NSA found out, late 1978,
they quickly developed a drop-in chip that would make the device readable,
but it was already too far down the production line to halt it.
50 Unreadable units were produced, but because they were going to be sold
to banks, it was not considered a problem.
After Peter Frutiger dismissal, the R&D department was wildly out
of control. It was clear to the partners that a suitable replacement was
needed — a witting one this time. After endless battles between CIA and
BND – in which each one rejected the other's candidate 1 – they finally
settled for another Siemens man, codenamed REX. 2
But REX was not up to the job. Although he was an affable and capable engineer,
he was unable to handle the secrecy that surrounded the project.
REX became nervous and was unable to fight off angry customers and
suspicious employees, and soon developed a drinking problem.
And after an alcohol-related traffic accident,
he eventually got fired as well.
He was replaced by
ALTER, again a man who had been recruted from the ranks of
But like REX he was not up to the job.
According to the partners, ALTER was not much
more than a non-alcoholic REX.
Nevertheless he was systematic and well organised.
Actually there were two other candicates that were briefly hired –
and BUTCHER –
but as their contribution to the R&D department was next to
non-existent, we have omitted them here.
CLAPPER stayed on with Crypto AG in a different capacity,
and BUTCHER left the company.
REX was the CIA/BND cryptonym for Sigmar Horst-Joachim 'Mickie' Grützmann.
His familiy appeared in an interview by Swiss broadcaster SRF on
12 February 2020 [/].1
It was clear that REX was unfit to handle the difficulties
involved in creating hidden backdoors.
So the partners kept searching for a person
with sufficient mathematical background, who was not opposed to the
idea of making CAG equipment readable to Western intelligence.
And with help from Swedish intelligence FRA, they eventually found
a young Swedish mathematics professor.
The new man was accepted by all services
— NSA, CIA, BND and ZfCh —
and, more importantly, by the staff and engineers at Crypto AG.
He moved to Switzerland with his family and would stay on for the next 15 years.
He did not become head of R&D but instead was given an independent status
as scientific advisor — in fact the company-cryptomathematician — who
reported directly to the CEO.
assigned him the codename ATHENA — the goddess of wisdom (and war).
ATHENA went along well with everyone.
For the CAG engineers he was a
respected academic of name and fame, and for NSA
and ZfCh he was a knowledgeable partner, who knew what he was doing.
But ATHENA was also a man of principles. He was an independent thinker, and if
he didn't want to produce readable equipment for a certain customer,
he simply refused to do so. He also insisted that he be allowed to share
all MINERVA technical secrets with the
Swedish FRA. 1
Soon after ATHENA entered stage, the problems with the
again. This was not unexpected, as the NSA fix of 1979
had only been a gap-fill solution. ATHENA immediately recognised the
weaknesses in the algorithm, and started the development of a solid
ATHENA appeared to be the right man for the job. He openly discussed
the weaknesses with customers, and told them that the
cryptologic had been developed
long before he had entered the firm, but that he would now fix them.
It gave them enough confidence to stay with Crypto AG.
The 'improved' cryptologic was released in 1981. From then on, all new
were equipped with the ATHENA-algorithm, which appeared to be
secure from the outside. It was able to withstand an advanced known
plaintext attack, but was in reality just as exploitable as before.
When Chile complained about the weak CAG
ATHENA was afraid that they were just inches away from breaking their own
But when they threatened to buy
ATHENA argued that
would not be able to obtain an export licence. 2
He also promised to provide them with a more secure
cryptologic, that would be made exclusively for them.
They believed him and accepted the offer.
And thus the Chileans stayed with Crypto AG.
Sture Nyberg – the CAG CEO from 1970-1975 – had also made this a condition
of his cooperation.
He could say that, because he knew he would be backed by
the approving authority at NSA.
In 1982 the Falklands War broke out, an undeclared 10-week war between
Argentina and the UK over two British-controlled territories in the South
Atlantic: the Falkland Islands . During the conflict, the Argentines relied
on foreign encryption equipment for their secret communications.
This included the HC-570
systems that Crypto AG had fixed
in 1979 and again in 1981, and which they had trusted to be secure.
But after the war, the Argentines discovered that their systems had
been broken by American and
British intelligence services.
They were furious, and ATHENA was summoned to Buenos Aires to explain.
It appeared that the Argentines had been using two
analogue voice scramblers:
the Datotek DC-505
and the Crypto AG CRM-008.
Although the latter was significantly better than the Datotek one,
both were inherently insecure.
After a long debate, the Argentines accepted the explanation
and kept buying (rigged) Crypto AG equipment.
ATHENA had saved the day again.
In North Africa, the Egyptians kept complaining about the supposed insecurity
of their Hagelin systems. But when ATHENA questioned them, they criticised
design features that had nothing to do with security,
so he knew they were just guessing.
But the suspicions remained, and in the end the Egyptians decided to buy
equipment from the
Austrian company Mils Electronic,
not knowing that those were not secure either... 2
In the early years, ATHENA had to fight two wars simultaneously:
he had to convince customers that the
Crypto AG systems were secure,
whilst at the same time deceive his own colleagues.
He re-engineered the (unreadable) cryptologics that had been made
by his colleagues before his arrival, but explaining them why this was
necessary, was the most demanding part of his job.
Unknown to either of them, NSA had refused to help the British.
Instead it was the Dutch Navy
who shared its ability to read
both Datotek and
systems, allowing GCHQ to break the ciphers themselves.
At the time, the equipment from Mils Elektronik
was controlled by the German BND
(later by the CIA) .
It is currently unclear how (and if) BND/CIA were able to influence the
algorithms, as most of the equipment was based on the unbreakable
One-Time Pad system which is inherently
secure. It is likely that this refers to early algorithm-based
Although the crises would not be over any time soon, business was going well.
Around 1980, Crypto AG had a cash reserve of no less than US$ 20 million.
BND used much of its share to finance other operations.
All from MINERVA.
In 2004, a CIA historian summarised it as follows:
In fact, the operation was so successful, that by the end of the decade (1980),
NSA was reading 82% of the traffic that came from
original mechanical Hagelin machines,
like the C-36,
In addition, they were able to read 50% of all
But of the electronic machines — that had been influenced by the
Germans and Americans — NSA
could read 96% of the intercepted traffic.
Without MINERVA, this would have been more like the 7%
on new Gretag machines.
But apart from Gretag,
most crypto-manufacturers were now firmly under control.
By 1982, the company's founder
– Boris Hagelin –
was enjoying his retirement, and divided his time between Switzerland
and Sweden. He had left the company 10 years earlier, and would soon
become ninety. For the occasion he travelled to Sweden, where much
of his relatives still lived.
In Sweden he caught a cold that was so bad he had to be
hospitalised near Malmö. He appeared to be near death, and his
family was afraid that he would eventually die in Sweden, and that
they might then be liable to pay (high) taxes over the estate in Sweden.
So, at the slightest sign of improvement in his condition, they rushed him
onto a waiting airplane, and back to Switzerland.
In the meantime, the CIA feared a repeat of the problems of 1969,
when William Friedman died.
Friedman left his library (and correspondence) to the
and in 1982, author James
Bamford wrote a book that was partially based on the correspondence
between him and Hagelin.
It prompted NSA to remove sensitive material 1 from the Marshall Library
In February 1982, with the help of Hagelin's second wife Elsa,
CIA searched the study of his house in Zug, 2 and removed anything
that could link him to Friedman and/or the American intelligence
The evidence was taken to Langley, where it remains to this day .
Hagelin never fully recovered and died the following year –
on 7 September 1983 – at the respectable age of 91.
Some of the material that NSA confiscated from the Friedman estate,
was released to the public in 2014, albeit in a heavily
redacted form . Our story about
The Gentleman's Agreement
is based on it .
With Hagelin's consent.
In the fall of 1987, the name of the covert operation – THESAURUS –
was changed to RUBICON.
Towards the end of the 1980s, the profits of the company started dropping,
whilst the running costs increased every year. It prompted the CAG
CEO to consider entering the commercial market.
After all, competitor
had successfully been selling into that market for years. Initially, the
partners didn't like the idea, but when in 1987
Gretag appeared to be
considering a buyout by Swiss communication equipment manufacturer
Ascom AG, they reconsidered.
In order to block-off Gretag,
they gave CAG the green light for a
partnership with Ascom.
A new company was founded – InfoGuard – in
which the joint venture would take place.
Owned by both companies, it was housed across the street
and was largely staffed by CAG engineers.
Although the commercial market was not regarded as an intelligence target,
CIA argued that it might become one in the future, particularly in
the view of international terrorism.
It was decided that InfoGuard would sell
crypto-enabled radios that were manufacturered
by Ascom's subsidary Radiocom, and that they would contain
Crypto AG's (readable)
HC-3400 drop-in crypto chip.
It didn't work as expected, and InfoGuard
turned out to be anything but a profit
maker. And there were other failed attempts to set up partnerships, such as with
the Australian company RanData,
and with SAGEM in France.
The partners felt that, after 14 years of service, it might be wise
to replace the CEO.
Heinz Wagner left the company at the end of 1988 and was replaced
by Michael Grupe – 48 years old – who had been plant manager
at the Osram light bulb factory in Greece. 1
Michael Grupe did not hit it off very well. He appeared to be stiff-backed
and did not have a good relationship with his staff, including
cryptomathematician ATHENA. In fact, the situation got so bad that,
in October 1989, a group of 20 employees sent a 'Letter to the Tsar'
to the CAG board.
The letter had not been signed by ATHENA,
but that didn't make it any better than did the letter.
Under Grupe, the joint venture with
was cancelled, 2 and
became a full CAG subsidary again.
But even with a new CEO, the
financial situation did not improve. There was a wordwide recession going
on, and many governments had started to develop their own crypto equipment.
1987 had been the first year without a profit, and the forecasts were
not very good.
But there was also good news: after the collapse of the
the former Eastern Bloc
countries had become a new sales target, as they no longer wanted
Soviet cipher machines.
It would not be possible
(yet) to sell them NATO equipment, but everything else would be fine.
At the time, the Osram light bulb factory in Greece was a subsidary of Siemens.
After this, Ascom continued to sell radios with CAG crypto chips though.
Although per initial agreement all NATO countries would have
access to secure equipment, the NSA
kept removing NATO countries
from the secure list, including Greece, Italy, Spain, Portugal,
Turkey and even Belgium. By the late 1980s, their target list 1
included the following countries:
- Saudi Arabia
- South Korea
Until the mid-1980s, Turkey had been using a
One-Time Tape (OTT) cipher
known as CPPM 2
for the encryption of its diplomatic messages. Because it was used incorrectly,
it was readable, and had been a great intelligence source for Western and Eastern Block intelligence
But Turkey knew that their CPPM system was vulnerable and was looking for
In 1982, the Dutch firm Philips
had introduced Aroflex,
a secure cipher machine that had been developed with
exclusively for NATO.
A civil version was sold by Siemens
but was readable with a special purpose device,
developed by Dutch Naval Intelligence (MARID).
NSA had discovered that Turkey wanted to order more
than needed, and use the surplus for its diplomatic traffic. This was not
allowed, and had to be prevented at any cost.
The Siemens T-1000/CA
was offered as an alternative, but the Turks rejected it, as they
probably expected it to be insecure. Siemens was then asked
to create a special version of the T-1000/CA for Turkey, but refused
to do so. 3 In the end, NSA teamed up with the
Dutch intelligence service BVD 4
and a special version of Aroflex
was made for Turkish diplomatic traffic .
To the outside world it looked like a genuine
Aroflex, but in reality
it was a modified T-1000/CA.
Although it was not readable with the special purpose device of the
Dutch Navy, the increased computing power that had meanwhile become
available, allowed it to be solved by other means.
And thus, the Turkish diplomatic traffic remained readable,
albeit no longer for the Germans .
➤ More about Aroflex
This target list only includes countries there were using Crypto AG equipment.
CPPM was a One-Time Tape (OTT) cipher machine,
made by SAGEM in France.
It is understandable that Siemens declined, as the cryptologic had
been developed by Philips Usfa
in Eindhoven (Netherlands),
and Siemens had no control over it. It was therefore impossible to comply.
More precisely: the Netherlands National Communications Security Agency
(NLNCSA), nationally known as Nationaal Bureau voor de Verbindingsbeveiliging
(NBV). The NBV is a department of the BVD
Despite the worsening financial situation, MINERVA kept producing the bulk
of the decrypts on Third World targets. With the end of the
Cold War in sight,
would no longer be a target, but the rise of international terrorism
kept MINERVA in the lead as an intelligence producer.
In general, Egypt, Morocco, Iraq, Iran, Malaysia, Tunesia and Argentina
were the most important intelligence targets, and most of them were
readable because of MINERVA.
Iran produced by far the best intelligence.
In 1988, 19,000 Iranian messages were decrypted, which
was 80-90% of their total traffic. Indonesian decrypts provided information
about the Philippine situation. When in 1989, the United States invaded
Panama, they knew that General Manuel Noriega was hiding out in the Vatican
Embassy — all from MINERVA decrypts.
It prompted the DDO of
NSA to say:
But NSA knew that it would not last forever. By the late 1980s, it was
clear that it would become more and more difficult to develop exploitable
algorithms that could withstand the scrutiny of the academic world.
Foreign nations were becoming increasingly educated in their understanding
of cryptographic algorithms – largely due to the widespread debate and
publicity surrounding Public Key Cryptography (PKC)  –
and started developing their own crypto gear. As an example: the Iraqi
crypto market largely disappeared as Sadam Hussein 1 insisted on
Saddam Hussein was president of Iraque from 1979 to 2003.
The Hans Bühler affair — HYDRA
Wilst the 1980s had been relatively smooth — despite the financial
position of Crypto AG — the 1990s were about to bring much turmoil.
On 14 March 1992, Crypto AG top sales representative Hans Bühler
– then 51 years old – left on a plane to Tehran (Iran) to do business
as usual. He had a return ticket and was to fly back six days later,
on 20 March 1992. But it was not to be.
Iran had always been one of Crypto AG's most loyal customers, despite
the fact that in 1979 the regime had changed, and despite recurring
rumours that American intelligence was reading CAG equipment.
They had questioned Bühler on several occasions, such as after the
La Belle Disco incident 1 in 1986, but there had never been any real trouble
with the Iranian authorities before.
When Bühler did not return home on 20 March, the company started
making inquiries, and on 31 March they were informed by the Swiss Embassy
in Tehran, that Bühler had been arrested with three others 2 on the
grounds of spying, bribery, illegal contacts and illegal use of alcohol.
There was no mention of the suspicion of rigged CAG equipment whatsoever
(nor would there be later).
CIA later figured out, that Bühler had probably been picked as a target,
as 'ransom' for an Iranian citizen 3 that had recently been arrrested
in Switzerland. When Bühler was first visited by Swiss consular officials
on 20 April, he was in bad mental condition.
CIA had no idea what Bühler knew about the BND/CIA involvement, and was
afraid that he would make incriminating statements.
This situation lasted until 8 September 1992, when his bail was set
at US$ 1,000,000 pending further investigations. It allowed him to
leave the country, but he would have to return to Iran for his trial later.
CAG tried to bargain down the hight of the bail. The company was in no way
able to raise that much cash.
The BND was prepared to raise the US$ 1,000,000, as long as it would be
split 50/50 with the CIA.
But CIA officials were hesistant and were
afraid that it might be illegal. 4
On 6 October, CIA agreed to pay their 50% share,
but the White House rejected it the next day.
In the end, the BND raised the entire sum, and transferred
it to Crypto AG,
through their covert mechanism, the Bundesvermögensverwaltung (BVV).
On 5 November, Bühler was officially charged by the Iranians,
and on 5 January 1993, he arrived safely at Zürich airport in Switzerland.
Bühler was severely traumatised and felt that CAG had not done enough to
enforce his release.
Despite a non-disclosure agreement with CAG,
he talked to the press and accused Crypto AG of
in their equipment to the advantage of German and
At one point he even claimed that CAG wanted him to repay the US$ 1,000,000
bail, but withdrew that statement later. Eventually he was fired by the
on 10 March 1993, much against the will of the partners. They felt it
would have been better to keep him close. And they turned out to be right.
Bühler got in touch with Peter Frutiger – the former head of R&D who had
been fired 16 years earlier - who had secretly filed official charges against
Crypto AG about rigged equipment.
This led to several investigations by the Bundespolizei (the equivalent of
the American FBI),
who even questioned the members of the CAG board. The
machines were investigated as well, but no evidence was found. In the end
the matter was settled with Bühler for CHF 250,000, but that did not
keep him from talking to the press again. On 23 March 1994,
Bühler appeared on Swiss and Austrian national television, claiming
that not Siemens,
but the BND was behind the company.
And around the same time, investigative journalist Res Strehle
published a book about the affair.
The Hans Bühler Affair — cryptonym HYDRA — was by far the most damaging
one in the history of the operation. Not only for the MINERVA secret,
but also for the relationship between BND
Bühler had meanwhile been silenced by means of a restraining order,
but the damage had been done. And it would be far from over.
It made the Germans reconsider their position.
➤ More about Hans Bühler
La Belle was a discotheque in West Berlin, where on 4 April 1986
a bomb exploded, that had alledgedly been planted by Lybian agents.
The bomb killed two and left 79 injured.
Salimi Nejad (the owner of Hasliran – CAGs distributor in Iran),
Nejad's brother-in-law and an unnamed Iranian military officer.
The Swiss had arrested an Iranian man by the name of Zeyal Sarhadi,
who had been accused of assasinating Shapour Baktiar – the former
Iranian Prime Minister – in France.
As a matter of principle, the American government never pays ransom.
However, Congress had never passed a law to prevent it, as a result of
which is was simply a policy matter.
From the start of the operation there were differences in management and
operational style between the partners, which led to frictions on several occasions.
Furthermore, Germany had an increasing loyalty conflict with respect to
its European partners. The BND wanted to protect them against (industrial)
espionage from the US, which the CIA naturally opposed.
There were also financial reasons. In post-war Germany, the annual BND budget
was modest. In the early days of the joint venture,
the company – Crypto AG –
had been highly profitable and the BND had used these profits
to finance other operations. For the CIA on the other hand,
money had never been an object. By the end of the 1980s it became clear that
the successful days were over and that soon the partners would have to inject
new capital to keep the company afloat.
In addition, there was the increasing risk of exposure. Dissidents within
the company were seeking public recognition for their suspicions, and
had been talking to the press on several occasions. But the real turning point
was – no doubt – the Hans Bühler affair.
It had made the Germans very nervous.
And despite the fact that money was no object for the CIA,
the German Government had to bail Bühler out in the end.
In 1992, the BND considered the following:
- Cultural and operational differences between CIA and BND
- Germany's relation to its European partners
- Increased cost of the operation
- Increasing risk of exposure
- The Hans Bühler affair (HYDRA)
The CIA had seen this coming and was aware of the fact that the
Germans had limited financial resources and were at risk of being exposed
because of the HYDRA affair, which could lead to embarrassment.
So in early 1993, they had started working on a plan to buy the Germans out.
On 30 May 1993, the BND president
informed the American DCI James Woolsey about the increasing difficulty
in supporting the program and that changes to the relationship were unavoidable.
On 13 August 1993, the DCI presented a draft proposal to the Germans, the
details and wording of which were refined during the latter part of the year.
The Germans accepted.
On 16 December 1993, the partners signed a memorandum of understanding,
in which the details of the 'divorce' were roughly outlined. It was agreed
that the Americans would issue an advance payment of US$ 12 million, awaiting
final valuation by Deutsche Treuhand Gesellschaft (DTG), and that
all contacts between the BND and
Crypto AG would be terminated immediately.
All that remained to be done, was tie up some loose ends and transfer the
On 20 June 1994, the Crypto AG Board was informed that agreement
with the Siemens Beirat – which had meanwhile become a financial burden –
would be terminated.
Finally, on 30 June 1994,
the anonymous barer shares were transferred,
after which the CIA
was the sole owner of Crypto AG.
The legal construction in 1994
The diagram below shows the situation after the transfer of the barer shares
from the BND
to the CIA.
This was done outside the view of the Liechtenstein law firm Marxer
and Goop, but with DTG as the fiduciary.
The CIA made a pre-payment
of US$ 12 million on 11 December 1993, awaiting a final appraisal by DTG.
In February 1994, the shares were valued at US$ 17.1 million and the balance
was payed by the CIA
on 30 June 1994. After that, the barer shares were handed over.
This ended the work of DTG, who no longer wanted to be a feduciary after this date.
It also ended the partnership between the BND
and the CIA, which had lasted for more than 20 years.
The CIA found a new fiduciary —
Although the divorce had been inevitable, many within the BND
felt that the German contribution to the project should have continued,
and could not understand why the German Government had left the operation
entirely to the Americans.
In the memorandum of understanding of 11 December 1993, in which the terms
of the divorce were outlined, it was agreed
that the Germans would continue to benefit from the intelligence
produced by Operation RUBICON after the termination date.
According to CIA, they kept their part of the bargain
and continued to share the output of the operation with the German BND.
According to BND sources however, this was not the case.
officer METAL (cryptonym) states that, once the divorce
had come into effect, the Americans started 'improving' some of the
CAG algorithms, as a result of which they were no longer readable
to the Germans . Had it not been for the Swedish intelligence service
the Germans would have been blind at this stage .
In 1995, sortly after the divorce with the BND,
the CIA celebrated
the 25th anniversary of the operation, 23 of which had been together
with the German BND. But in reality, the program of influencing
Crypto AG gear,
had started back in 1951 with the first
For the CIA, it was the most productive and longest-running
intelligence project since World War II.
MINERVA went through quite a few storms and narrow escapes.
The Bühler Affair was by far the most critical one, as it came close
to exposing the operation. It also had a demoralising effect on CAG
employees. Bühler had contacted virtually everyone in the firm, and now some
were looking for another job. And in addition there would be layoffs,
following future reorganisations.
By 1995, it was clear that the days of solid revenues were over.
The company was struggling to survive, and it would be increasingly
difficult to infuse money from the US Government into it, without being
exposed. Under American pressure, the Swiss Government had become more
and more concerned about money laundering through its banks. And that
was exactly the mechanism that CIA used to channel money to
ATHENA – the company cryptomathematician – had announced in 1990 that he
wanted to retire in approximately five years time. And in January 1995
the time had come. He had given the 15 best years of his life to the success
of the company and to Western intelligence. But there were also doubts.
After the divorce,
the CIA had become the single owner, and he was ambivalent.
He recognised the efficient and flexible operating style of the CIA,
but wondered what the future policy in relation to readable and
unreadable equipment would be, now that a single party was in control.
In his view, the shared ownership had always been a way to keep each other
And now, he was no longer in the loop.
For his services, he received the CIA's Agency Seal Medallion. 1
Today known as the Agency Seal Medal
The Hans Bühler Affair was not the last of the damaging revelations.
– a journalist of The Baltimore Sun – was writing a series
of articles about the NSA, and was probing
Crypto AG employees (and former employees) for further information.
And he was about to expose one of the longest and most secret US intelligence
operations to the American public .
On 10 December 1995, the article appeared in The Baltimore Sun,
the home newspaper of many NSA employees who lived in Maryland.
It was just as damaging as CIA
and NSA had feared.
It even mentioned Nora Mackebee — a former NSA officer —
and linked here to Intercom Associates,
the CIA cover company under which
and CIA people had operated in relation to the
Crypto AG business. She (and others) had visited the company to
give 'advise' on cryptographic algorithms.
At NSA headquarters in Fort Meade, it was the talk of the town for
many days. It is rumoured that lower NSA staff bought extra copies of
the newspaper, to read what they were not supposed to know.
Crypto AG's CEO Michael Grupe, issued the usual public denial statements.
He attributed the allegations to 'disgruntled employees' and claimed
that everything was 'pure invention'.
In 1996, the German magazine Der Spiegel followed with a similar
Following on from the Hans Bühler Affair, journalists
from the magazine had spoken with former CAG employee Ernst Polzer, 1
who confirmed that NSA cryptomathematician
Nora Mackebee had visited the firm on more than
one occassion, and had insisted on the use of certain cryptographic algorithms.
The former colleague also confirmed the relationship with Motorola during
the 1970s, and that the algorithms for Crypto AG's speech encryption
products, had been provided by the German cipher authority ZfCh.
It was clear to him that the machines had been manipulated. Of course
they protected users against eavesdropping by a third party,
but who was the authorised fourth?
➤ Read the full article
Pseudonym. It is believed that this was
Peter Frutiger who got fired in 1977.
Who was aware of the MINERVA secret apart from the US and Germany?
First of all the UK. GCHQ, the British
codebreaking organisation, had a long running partnership with the US
that dates back to WWII. They had been briefed by the Americans, and
the intelligence production was shared with them, but they did not
participate in the project. They were kept informed by
NSA/CIA, but this was initially not told to the Germans.
It had led to a serious confidence conflict in 1973.
It was assumed that Sweden was witting as well. Although they had
never formally been briefed, the ties were strong and it was
assumed that Boris Hagelin, and after him CEO Sture Nyberg,
and finally ATHENA, kept the Swedish military intelligence service
FRA fully informed.
Furthermore, Hagelin had insisted that
Sweden be allowed to buy secure equipment, and ATHENA
had even made it a condition for his cooperation to the program,
when he was recruited.
The same can be said about Switzerland.
They had never been officially informed, to allow for plausible
deniability in case the program was ever exposed. It was assumed however,
that they were kept informed by people in the company.
Like with Sweden, Hagelin had insisted that
Switzerland would have access to secure equipment.
And during the Hans Bühler Affair (HYDRA), it had become clear that
high ranking Swiss military intelligence officials were fully witting.
The French were certainly also witting. They had been part of the
initial attempt to buy Crypto AG with the Germans, so they
could guess what was going on. Every decade, they would raise the
question to let them in on the secret, but the Germans always
sent them home empty-handed.
➤ Larger map
Over time, the codebreaking abilities were shared with other countries,
such as Denmark, France, the UK, Israel, the Netherlands
and Sweden, but the actual operation — THESAURUS/RUBICON — was not revealed.
For many years it allowed Western intelligence
agencies to break foreign codes at an unprecedented scale,
that was even bigger than Operation Ultra
had been during WWII
Although the actual list is probably longer, the documents identify
the following targets:
- Vatican City
- Ivory Coast
- South Africa
- Middle East
- Saudi Arabia
- South Korea
- United Nations
Around the turning of the century, new technologies started emerging,
that made it increasingly difficult for Crypto AG to survive, and for
to maintain its dominant intelligence position. In
Data Encryption Standard (DES) and later
the Advance Encryption Standard (AES) and
Public Key Cryptography (PKC)
became mainstream in later years.
Unlike in the past, when the development of crypto-gear
was the domain of industrialised nations, cryptography
is now affordable to everyone, including the Third World.
And most cryptography is now software-based.
For many years, the (American) intelligence services have tried to
keep cryptography away from the main public, in particular by trying to
impose export restrictions and
but they were fighting
a losing battle. With the emerging internet, borders have gradually
In addition, the communication channels have changed.
Advanced frequency hopping, spread spectrum transmissions,
digital modulation techniques, mobile telephony, fiber optics,
increased communication speeds,
the internet, and the like, have made it increasingly difficult
to intercept secure traffic. And without intercepts, there is nothing
for NSA to decrypt.
The trend to move away from hardware-based cryptography, has made
a less valuable asset for the CIA.
In January 2018, it was announced that the Swedish entrepreneur
Andreas Linde has taken over the product portfolio from Crypto AG for an
undisclosed sum. Dan Ove Andreas Linde and his wife Emma Victoria
Linde, are now on the board of the newly established
Crypto International AG.
In the past, Linde has founded several Swedish companies.
Until 2015, he was CEO of Advenica, where he
is now a board member. In 2015 he founded Famco —
a cyber security service provider for government organisations .
In 2000, Linde co-founded 4C Strategies — a
risk management solutions and continuity company.
According to the press release of January 2018, Linde has only
taken over some of the assets of Crypto AG – including
service contracts – but not the company itself.
The buildings had already been sold in a separate transaction in 2017 .
Note that Crypto International AG
is an entirely new company which has
no prior involvement with the old Crypto AG whatsoever,
other that the fact
that it took over Crypto AG's portfolio in early 2018.
It seems unlikely that Linde was aware of CIA involvement at the time
of the buyout.
The old Crypto AG no longer exists. It was liquidated on
31 October 2019, whilst the remaining assets were transferred by means of
a fusion to The Crypto Group AG (TCG) the same day.
A separate licencing company – Prime Technology Licencing AG (PTL) – which was
the official owner of the CAG patents since 1998, had already transferred its
assets to TCG on 17 January 2018 and was liquidated the same day.
On 23 December 2019, The Crypto Group AG (TCG) was renamed
TCG Legacy AG, and is currently in liquidation.
Almost all traces of Crypto AG have been wiped.
Simultaneous with the transition of Crypto AG
to Crypto International AG,
a new company – Crypto Schweiz AG –
has been spun-off as a result of a management buyout. It is managed by
three former members of the CAG-board and will be active on the Swiss
national cyber security market . Shortly after the management buyout,
Crypto Schweiz AG was renamed CyOne.
In a separate press release, it was announced that
InfoGuard – which had until that
time been a subsidary of Crypto AG – was also spun-off in a management buyout,
and will also be active in the field of cyber security .
The buyout was led by the same three CAG-board members are for
buyout. It was anticipated that the two companies will be
working closely together.
➤ About CyOne
➤ About InfoGuard
When Operation RUBICON was revealed by the German,
Swiss and American press on 11 February 2020, the Swiss Government
announced that pending a formal investigation, the export licence of
Crypto International AG had been suspended. And in the first week of March,
the police raided the offices of Crypto International AG in Steinhausen
(Switzerland) to secure evidence,
awaiting a formal SECO investigation .
➤ Media coverage
➤ MINERVA timeline
According to BND sources, it was the strategy of western intelligence services
to get a grip on any company that wanted to develop and/or sell cryptographic
equipment. New startups were visited and were encouraged to work with
the intelligence services to produce readable equipment. In
return, the company got help with the development of algorithms and
obtaining export licences.
Crypto AG (and two other companies)
Under control —
Rohde & Schwarz,
Mils Electronic (see below)
Not under control —
If a company did not want to comply with the unwritten rules,
they would not receive such help. On the contrary: there are cases in which
smear campaigns were launched to prevent customers from buying equipment from
unwilling manufacturers, such as the Swiss Gretag.
Below is a non-exhaustive list of companies that are mentioned in unreleased
and BND documents
TeleSecurity Timmann (TST) 1 was a small company in Tützing, right at
lake Starnberg – close to München (Germany) – owned by Klaus Peter Timmann.
Business went well, and in the mid-1980s, Timmann had bought a large villa
that housed his family, his private museum and the company.
Timmann produced small but powerfull encryption devices, and like all
companies that appeared on the German crypto market, he was visited
by the BND with the request to make the algorithms readable
to them. In return, they would help him with export licences,
and with the development of cryptographic algorithms.
Timmann immediately offered his full cooperation, but as he
was somewhat of a wildcard
— illustrated in this anecdote —
the BND also planted a mole inside his company.
The mole – in reality a BND engineer – developed the algorithms for
This way, TST
was under control of the BND for several years,
until the Germans got cold feet and left TST to the Americans.
This happened in the early 1990s, and should be seen in
the light of the Hans Bühler incident, which caused the Germans
to fear exposure. It had prompted them to terminate their
partnership with the CIA.
Nevertheless, it was uncomprehensible for BND
officers, that Americans were now running a crypto company
in their country. TST was dissolved in 2009.
➤ More about TST Timmann
Not to be confused with Telefunken System Technik, which is also abbreviated TST.
From the late 1970s, the Austrian company Mils Electronic
(also written Mils Elektronik)
was also under control of western intelligence.
The company had its roots in Trier (Germany) and was founded shortly
after WWII by German electronics engineer Willi Reichert, who made a
fortune by selling refurbished
to western governments.
In 1955, Reichert moved his company to neutral Austria, in an attempt to evade
the restrictive German export rules.
In the late 1970s, in an act of frustration,
Reichert sold his company to Belgian entrepreneur
Paul Huskell in a transaction that is very similar to Hagelin's sale
of Crypto AG
to the BND/CIA in 1970, using a Liechtenstein law firm
and a complex of Anstalts to hide the actual ownership from
public view. It is known from the leaked CIA and BND documents, that
was under control of western intelligence at the time, first of the BND
and later (after BND had left RUBICON) of the CIA,
although it is unclear what the extent of this control
was and how long it lasted. It seems likely that this only affected the
Mils equipment that was not based on
One-Time Pad (OTP)
or One-Time Tape (OTT) systems,
as such systems are inherently secure when used correctly.
Between mid-2017 and mid-2018 – around the same time as Crypto AG changed
hands – most of the staff was layed-off and sales activities were
unexpectedly terminated with immediate effect.
The website has since become defunct and Mils
practically seems to have been dissolved.
➤ More about Mils Electronic
was clearly an exception to the rule. Since the 1950s,
had been trying to get control over the company, but to no avail.
Edgar Gretener, the founder of the company, exploded at the slightest
provication and did not want to comply. After Gretener's death in 1958,
the firm was taken over by the Swiss Ciba-Geigy concern,
and successfully made the transition from to electromechanical to
electronic cipher machines. For Ciba-Geigy, Gretag was a pofitable branch.
The problem for the western intelligence agencies was that
were highly secure and were not readable to them. In practice,
was seen by the BND as one of the greatest dangers to the operation.
In 2011, BND
officer HEINE wrote about Gretag (tanslated) :
The biggest danger came from the Swiss firm Gretag in Regensdorf (Switzerland).
The company was founded in 1943 by Dr. Edgar Gretener. They introduced the
Gretacoder and initially produced mechanical cipher machines, succeeded
by fully electronic on-line versions, that had a good track record. [...]
At the time, Gretag was the only serious competitor. They developed and
produced all kinds of high-grade cipher equipment. Their market was,
besides the Swiss Army, the same countries and governments that
Crypto AG was interested in. [...]
Libya had bought Gretag equipment, and other countries were threatening
to do the same. All skills were used to make the customers stay with
Crypto AG, including price consessions. In addition there were tailored
smear campaigns, which means that Gretag equipment was delibrately
dragged through the mud.
From the 1970s, both the NSA
and CIA repeatedly tried to purchase the company.
The owner – Ciba-Geigy –
was approached about a possible sale, but did not want to give up the
profitable business. In the early 1990s, when profits started declining
and Ciba-Geigy became increasingly uncomfortable with the secret nature
of the Gretag business, they finally decided to sell it off.
In 1991, after being pushed by the CIA, the American telecom giant
AT&T took over Gretag and renamed it
Gretag Data Systems. It was the intention of the Americans to get control
over the encryptors that were used for the international
SWIFT inter-bank communications system. But, unknown to AT&T,
Gretag had managed to sell
that part of their business to the newly created Swiss firm
the transaction took place. In 1995, the Gretag business was taken over
from AT&T by IRE — a new company that was founded by two former
In 2002, IRE became SafeNet.
In 2004, the Gretag assets were liquidated due to lack of revenue.
➤ More about Gretag
Another player over which the intelligence services did not have control,
was the Australian firm RanData,
founded in 1984 by an Italian entrepreneur
– Amadeo Monte Sala – who had worked for NASA during the 1960s Gemini
In 1987, Crypto AG CEO Heinz Wagner
was about to enter into a joint venture with the company, when CIA
discovered that RanData
was not under control of the
Defense Signals Directorate (DSD);
the Australian cryptologic organisation.
In other words: RanData equipment was unreadable. Wagner was
ordered by the CIA to cancel the deal.
➤ More about RanData
- Peter F. Müller and Ulrich Stoll, Operation Rubikon, Wie BND und CIA die Welt belauschten
ZDF Television (Germany), Frontal-21. 11 February 2020.
- Greg Miller, The Intelligence Coup of the Century
The Washington Post (USA). 11 February 2020.
- SWI, Investigation opened into Swiss encryption firm liked to CIA
Swissinfo.ch (Switzerland). 11 February 2020. Interview with Greg Miller of The Washington Post.
- SRF, News broadcast
10vor10 Television (Switzerland). 11 February 2020
- Huub Jaspers, De cryptoleaks van CIA en BND: 'Dit was de inlichtingen-coup van de eeuw'
VPRO, Argos website (Netherlands). 11 February 2020.
- Rundschau, Weltweite Spionage-Operation mit Schweizer Firma aufgedeckt
SRF Television (Switzerland). 12 February 2020.
➤ Original Swiss broadcast without subtitles
- NOS, Inlichtingencoup van de eeuw
Nieuwsuur television (Netherlands). 13 February 2020.
- Domink Landwehr, Interview with Res Strehle (author of 'Der Fall Hans Bühler')
Entretiens - Interviews (Switzerland). 13 February 2020.
- VPRO Radio, Cryptoleaks. 'De Inlichtingencoup van de eeuw'
VPRO, Argos podcast (Netherlands), 15 February 2020.
- Greg Miller and Peter F. Müller, Compromised encryption machines gave CIA window
into major human rights abuses in South America
The Washington Post (USA). 17 February 2020.
- Rundschau, Geheimdienst-Skandal
SRF Television (Switzerland). 19 February 2020.
- Huib Modderkolk, The Netherlands used superchip to eavesdrop on other countries
De Volkskrant newspaper (Netherlands), 20 February 2020.
- Rundschau, Geheimdienst-Affäre: Die Wut der Argentinier
SRF Televsion (Switzerland). 26 February 2020.
- ZDFinfo, Operation Rubikon
ZDF Television (Germany). 18 March 2020.
- CIA Historian, MINERVA, a History
Internal CIA publication TOP SECRET, 2004. 1,2
- Crypto Museum, The Gentleman's Agreement
The Friedman Papers, 30 July 2015.
- Scott Shane & Tom Bowman, Spy sting: Few at the Swiss factory knew...
Baltimore Sun, 10 December 1995.
- Scott Shane & Tom Bowman, NSA's ... Rigged encryption machines
Baltimore Sun, 10 December 1995.
- Internal BND document ref. 303395/2
BND, October 2012.
- Internal BND document ref. 303395/3
BND, 18 February 2011.
- Internal BND document ref. 303395/4
BND, 13-14 August 2009.
- Internal BND document ref. 303395/5
BND, June 2011.
- Internal ZfCh document ref. 303395/6
ZfCh, November 2012.
- Internal BND document ref. 303395/7
BND, 29 September 2008.
- Internal BND document ref. 303395/8
BND, 11 December 2009.
- Internal BND document ref. 303395/9
- Crypto AG, Background information
Press release, 24 January 2018.
- Crypto AG, Andreas Linde's vision for Crypto
"Our independence differentiates us from other providers"
14 February 2019.
- InfoGuard, Management Buy Out by InfoGuard
Press release, 25 January 2018.
- Hans Stadlin, 100 Jahre Boris Hagelin 1982-1992 (German)
Crypto AG. Crypto Hauszeitung Nr. 11. Jubilieumausgabe September 1992.
- Wikipedia, Shift register
➤ Linear-feedback shift register
➤ Nonlinear-feedback shift register
Retrieved December 2019.
- Wikipedia, Falklands War
Retrieved January 2020.
- NSA, William F. Friedman Collection of Official Papers
Retrieved July 2015. 1
- National Cryptologic Museum (NCM), Picture of Friedman and Hagelin families
Retrieved July 2019.
- Cees Jansen, Former cryptographer at Philips Usfa
Interview at Crypto Museum, November 2019.
- Wikipedia, Public-key cryptography
Retrieved January 2020.
- Crypto AG, Crypto AG is gearing up for future growth
24 January 2018.
- Der Spiegel, Wer ist der befugte Vierte?
Der Spiegel, 36/1996. pp. 206-207.
- Peter Hossli & Daniel Meier, Der Informant, der aus der Deckung kommt
NZZ am Sonntag, 16 February 2020.
- Paul Reuvers & Marc Simons, Interview with Oskar Stürzinger
Basel (Switzerland), 7 November 2008.
- Urs Paul Engeler, Razzia bei der Crypto AG
Handelszeitung (Switzerland). 18 March 2020.
Unreleased and undated draft copy.
This document contains (real) names of people, and will therefore not be
This document was written by a former BND/ZfCh officer, of which we have
chosen not to reveal the identy. Instead, we have identified the person by
his/her CIA cryptonym.
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?|
© Crypto Museum. Created: Thursday 12 December 2019. Last changed: Tuesday, 16 June 2020 - 08:12 CET.