Click for homepage
Crypto AG
Gentleman's Agreement →
The secret purchase of Crypto AG by BND and CIA

THESAURUS 1 (later: RUBICON), was a secret operation of the German Bundesnachrichtendienst (BND) and the US Central Intelligence Agency (CIA), to purchase the Swiss crypto manufacturer Crypto AG (Hagelin) — codenamed MINERVA — in order to control the company, its algorithms and – indirectly – its customers. From 12 June 1970 2 onwards, Crypto AG was jointly owned by CIA and BND, each with 50% of the shares, and from 30 June 1994 exclusively by the CIA [1].

Combined logos of CIA, BND and Crypto AG - Copyright Crypto Museum 2020 -

It was already known from the so-called Friedman Collection – that was partially released by the NSA in 2014 – that some kind of gentleman's agreement existed between the NSA and Crypto AG annex Boris Hagelin, probably resulting from their cooperation during WWII. But as the released documents were heavily redacted, much of the gentleman's agreement remained clouded [2].

In February 2020, Peter F. Müller and Ulrich Stoll with David Ridd from the German television station ZDF, Greg Miller from the American news­paper The Washington Post, and Fiona Enders and Nicole Vögele from Swiss television (SRF) program Rundschau, were able to fill in the gaps in the gentleman's agreement and much more, based on internal CIA and BND documents which they obtained. Working with historians Erich Schmidt-Eenboom and Professor Richard Aldrich on an investigation which lasted more than two years, they revealed that Crypto AG had been owned by the Central Intelligence Agency (CIA) and the Bundesnachrichtendienst (BND) since 1970.

Together with Huub Jaspers from the Dutch investigative (VPRO) radio program Argos, Crypto Museum's Paul Reuvers and Marc Simons took part in the investigation and were able to advise on technical matters. Discover how CIA and BND turned Crypto AG from a simple denial operation into an active measures operation. Learn which roles were played by the Deutsche Treuhand Gesellschaft (KPMG), a Liechtenstein law firm, Siemens, Motorola, NSA and Swedish intelligence. The following story is about — in the words of the CIA — The Intelligence Coup of the Century.

In the story below we have used cryptonyms for living people that we do not wish to expose. Crypto­nyms, such as MINERVA, are always written in upper case. However, if people have already appeared in publications before, or have given their consent, or if their name is unambiguous, we have used their real names. Organisations and companies are all referred to by their real names.

 Start reading

  1. The Greek word THESAURUS means 'treasury'. In 1987 it was renamed RUBICON (point of no return).
  2. The official sale was on 4 June 1970, but on 12 June, 50% of the shares were transferred to the CIA.

Contents of this page
Paul Reuvers and Marc Simons, 19 March 2020

Boris Hagelin
Boris Casear Wilhelm Hagelin (2 July 1892 - 7 September 1983) was a Russia-born Swedish engineer, inventor of cipher machines and businessman. In 1925 he developed his first cipher machine, whilst working with Arvid Gerhard Damm at A.B. Cryptograph in Stockholm (Sweden), of which his father, Karl Wilhelm Hagelin, and the Nobel family were investors. Hagelin eventually became one of the largest and most successful manufacturers of cipher machines: Crypto AG.

Hagelin was born on 2 July 1892 in Adschikent, a small town near Baku in Azerbaijan, then part of the Russian Empire. He was the son of a wealthy Swedish industrialist, Karl Wilhelm Hagelin (KW), who managed the Baku oil fields for the Nobel family. As KW was a personal friend of Emanuel Nobel, it was assumed that Boris would someday take over management of the Nobel oil interests.

After an initial education in Russia, Boris was sent to Sweden, where he graduated from the Royal Technical University in Stockholm in 1914, with a degree in mechanical engineering. After his graduation he entered service with ASEA – the Swedish General Electric – to apprentice for his presumed role in the Nobel enterprises, but the Russian Revolution of 1917 intervened and Boris would never return to the Nobel oil fields.

After spending a year in the United States, Boris returned to Sweden in 1922, where Emanuel Nobel employed him at AB Cryptograph, a small company set up in 1916 to exploit the crypto­graphic ideas of the eccentric Arvid G. Damm. 1
Click to see more

Apart from a womanizer, Damm was also a mechanical genius. He had developed a rotor-based machine, the B-1, of which the prototype was ready in October 1919. Two B-1 machines were later built and tested by the Swedish PTT. From this, he developed a two-rotor machine, B-13, 2 of which 20 units were built in France. In 1925, Boris Hagelin became the general manager of the company and in 1928, when the Swedish General Staff was looking for a new cipher machine that could compete with the German Zählwerk Enigma A28, he took Damm's B-13 and added two of his (now) famous pin-wheels to control the stepping of the rotors. It became known as the B-21.

In 1930, AB Cryptograph was liquidated and Hagelin transferred the assets to his new company Ingeniörsfirman Teknik. 2 He did not make much money until, in 1934, they received an order from the French Army for an electrical version of the B-21 with built-in printer. It became known as the the B-211. In the following year he also successfully developed a portable machine for the French Army — the C-35 — followed by the C-36, that would form the base for his later designs.

 More about Boris Hagelin

  1. It is often assumed that AB Cryptograph was owned by Arvid Gerhard Damm, but this appears not to be the case. The company was owned by Emanuel Nobel and – like Boris Hagelin – Damm was just an employee.
  2. Renamed AB Cryptoteknik in 1939.

William Friedman
William Frederick Friedman (24 September 1891 - 12 November 1969) was a United Status Army cryptographer, codebreaker, cipher machine developer and case officer. In the 1930s he worked for the Army's Signals Intelligence Service (SIS), and in 1949 he became head of the cryptographic division of the newly established Armed Forces Security Agency (AFSA). In 1952, when the AFSA was succeeded by the National Security Agency (NSA), he became chief cryptologist of the NSA.

William 1 Friedman was born in 1891 in Kishinev (Moldovia), then part of the Russian Empire. His father, Frederic Friedman, was the son of a Romanian Jew from Bucharest, who worked at the Tsarist post office as a translator. His mother was the daughter of a successful wine merchant.

Barely a year after William was born, the family fled the country to escape the pogroms. The family emigrated to the United States and ended up in Pittsburgh, where William's father became a door-to-door salesman of Singer sewing machines. But with the fluctuating economy of western Pennsylvania, the Friedmans struggled to stay afloat and were always short on cash.

William turned out to be a gifted student and in 1909, following high school, he entered Cornell University as a genetics major. Six years later, in 1915, he was still in graduate school when the department chairman received a request from George Fabyan, a rich cotton merchant from Chicago. Fabiyan had established a research institute by the name of Riverbanks, in Geneva (Illinois, US) and was looking for bright students.
Click to see more

Genetics was one of the research fields at Riverbanks Laboratories and Friedman became head of the Department of Genetics. Another research field of the lab, was code and ciphers. and it is in that department that he met his future wife Elizebeth Smith. Soon after the outbreak of World War I (WWI), Friedman entered service and soon became a renowned expert in codebreaking. His first acquintance with Hagelin cipher machines was in 1927 when he visited the factory in Sweden.

 More about William Friedman

  1. William Friedman was initially born Wolf Friedman, but three years after emigrating to the United States, his first name was changed to William.

World War II
In 1935, the US Army was looking for a device that could replace the aging M-94, a hand cipher that had been around since the days of Thomas Jefferson. The M-94 pocket cipher was easy to break, and the US Army wanted something more secure, that was suitable for tactical messages.

Friedman's organisation – known as the Signals Intelligence Service (SIS) – was given the task to find a replacement for the M-94. Friedman was well aware of Hagelin's machines, but disliked them. Although they were theoretically safe, they could be set up in such a way that they became highly insecure, making them easy to break.

In 1937, Friedman and Hagelin met for the first time, when the latter was touring the United States with his C-36 cipher machine. They hit it off immediately — they shared several interests — and would stay in touch for the next 30 years.
C-36 with open case - right view

In 1939, Hagelin was again in the United States, trying to sell the latest version of his C-36 cipher machine to the US Army. The machine was demonstrated to Friedman, who liked it but still found it too insecure when used improperly. So, Hagelin went back to Sweden to improve the machine.

In April 1940, Germany invaded Norway, whilst the improved machine wasn't ready yet. Fearing for the future in Sweden, Hagelin persuaded the Swedish Government to make him an official courier, and left the country with his wife Annie.

On 10 May 1940, following a distressful journey through war-torn Europe, they finally reached Italy, where they boarded the Conte de Savoia; the last ship that would sail to the United States. In his luggage were two dismantled C-36/C-38 machines and the engineering drawings. After several days, they arrived safely in New York.
The converter M-209

The rest is history. Hagelin finished the design and sold the rights to the US Government for no less than US$ 8,614,790 using a French banker – James Paulding – and an American Wall Street broker – Stuart Hedden – as feduciaries. 1 The new machine, designated M-209, would become the workhorse of the US Army. By the end of the war, no less then 140,000 had been built at Smith & Corona in Syracuse (New York). It made Hagelin the first crypto millionaire in the world.

  1. Hagelin wanted the royalties to be described as 'capital gains' which were not taxed in Sweden. Instead he payed 25% income tax in the US. His gross proceeds were US$ 2.8 million (netting at US$ 1.8 million). Pauling received US$ 430,000 and Hedden US$ 140,000. Smith & Corona made a profit of US$ 5 million.

Back in Sweden   1944
WWII was coming to an end. As soon as it was safe, Hagelin moved back to Sweden, where he arrived in the fall of 1944. He reopened his factory and had great expectations of future sales. But the post-war market was small and poor, and sales kept dropping. In 1947, he sold just 54 machines. The high days of the war were clearly over and Hagelin went into a depression. 1 Over the years he often considered closing the company's doors. Only his intrinsic interest in crypto­graphic machines and his personal wealth kept the company afloat during these lean years.

Hagelin sales (machines) from 1945 to 1951

  1. Like Friedman, Hagelin had bouts of depression, which afflicted him throughout his life.

New machines   1946
Despite depressions and low sales figures, Hagelin continued to improve his machines, and kept Friedman informed of any improvements and changes. In the autumn of 1946 – following a visit of Hagelin to Washington – Friedman paid his first visit to the Hagelin factory in Sweden since 1937. He was anxious to learn the details of the announced CX-machines which, according to Hagelin, would feature irregular stepping. In his report about the visit [1], Friedman wrote:

... it is clear that if he continues to improve his machines and make them technically more secure, we shall sooner or later be faced with greatly increased difficulties in continuing past successes in the solution of foreign communications.
Surplus M-209 machines
In the following years, the relationship between Hagelin and the SIS – by then dissolved into the AFSA – turned out to be troublesome. In 1951, AFSA placed a secrecy order on one of Hagelin's patents, and on top of that, surplus M-209 machines – the machine that had brought Hagelin's initial fortune during WWII – were flooding the market, thereby effectively killing Hagelin's sales. This was a clear violation of the wartime contract between Boris Hagelin and the US Government.

Friedman chased the surplus sales as best he could, but could not prevent large quantities being sold on the international market. The problem with the surplus M-209 machines would not go away, and would return several times in the following years. In fact, AFSA used it, to maintain its grip on Hagelin. If Hagelin would not comply, they might release M-209 machines on market.

NSA logo

The Gentleman's Agreement   1950-1957
Friedman's visits
In the years following WWII, the US and UK were able to read the high-level cipher systems of most countries (even allies), businesses and diplomatic missions – with very few exceptions – whilst their own systems were impenetrable. This changed in 1948, when the Russians changed all their systems, and provided these to North Korea al well. In 1950, North Korea attacked South Korea, and the US was unable to read their traffic for the remainder of the Korean conflict.

Despite this setback, the rest of the world was still readable, 1 as most countries used Hagelin equipment. But AFSA realised that this would be over as soon as Hagelin introduced his new CX-machines. It was clear, that a deal should be made with Hagelin to prevent this from happening.

In January 1950, Hagelin was invited to Washington. He had hoped to get a large order from the US Army, but upon his arrival it became clear that the Americans were about to introduce a new machine for NATO: AFSAM-7 (KL-7). There were no plans to buy Hagelin equipment. According to AFSA, his equipment was too strong to be broken, but not strong enough for American use.

It is at this meeting, that Friedman made his first proposal to Hagelin. He suggested that Hagelin would only sell readable equipment, and that the worldwide sales of the new CX-machines would be controlled by the CIA. In return, Hagelin would be compensated for this, and would move to the US with his family, but remain a consultant for the CIA for at least two years. Summarising:

  • Hagelin will only sell readable machines
  • The CIA will control the sales of secure CX-machines
  • Hagelin will receive compensation (a lump sum of US$ 700,000) 2
  • The Hagelin family will move to the US
  • The CIA will accomodate the move of Bo Hagelin (Boris' son) to the US
  • Hagelin's daughter will get a visa for her husband (who is a Turk)
  • Hagelin will receive US 600 per month for consultancy
Friedman created a draft agreement and presented it to the United States Communications Intelligence Board (USCIB) and the AFSA Committee (AFSAC), but despite Friedman's apocalyptic prospect — we will be blind within a few years — AFSAC turned it down as they did not trust Hagelin. In June 1951, Friedman tried again with a revised proposal, but it too was turned down.

In the meantime, Hagelin went back to Sweden and acted as if a deal with AFSA/CIA had been struck. He kept providing AFSA with details of his cumstomers, and kept Friedman informed about the development of the new CX-machine.

In 1952, he even sent a nearly-completed CX-52 prototype to Friedman for evaluation, something he wouldn't even have done for his most valued customer. It became clear that the CX machine would be difficult to break. Its inter­changeable pinwheels and irregular stepping defeated all existing methods for solving Hagelin machines.
Removing the pin-wheels from a CX-52

The necessity for a deal with Hagelin remained, and the negotiations were reopend several times in the following years, as and when there was a pressing need. Although the deal was never put in writing, it is clear that a Gentleman's Agreement of some sort existed between Boris Hagelin and the AFSA — meanwhile transformed into the newly founded National Security Agency (NSA). The deal was reviewed in 1953 — authorised by the first DIRNSA Ralph Canine — and again in 1955 and in 1957, and Friedman would always play an important role in the negotiations.

As part of the 1953 negotiations, it was agreed that, as and when Hagelin was ready to retire and wanted to sell his company, the US would have the first right of refusal. Should the US decide not to buy, they could approve (or disapprove) any potential buyer. Again, this was not put in writing. At the same meeting, Hagelin suggested that NSA could develop the cryptologic of the CX-52.

 More about The Gentleman's Agreement

  1. In this context, readable means that the cryptographic algorithms could be broken by NSA. Also known as friendly. In contrast: algorithms that are not breakable by NSA, are called unfriendly, unreadable or secure.
  2. This was negotiated by Stu Hedden, Hagelin's representative in the US, who would get US$ 250,000 of it.

Neutral Switzerland   1948-1952
In the meantime, Hagelin increasingly grew irritated by the restrictive laws and high tax burden in Sweden. It was his intention to sell machines to countries like Indonesia, Turkey and Egypt, but the Swedish intelligence service FRA did not approve them. After a short business escapade in 1949 with Dr. Edgar Gretener in Switzerland — they jointly developed the TKG-35 — he decided to move his business there. It would bring him closer to the action with fewer export restrictions.

In 1948, Hagelin had bought a villa in Zug (Switzerland) to which he had moved with his family prior to starting the cooperation with Dr. Edgar Gretener. The joint venture with Gretener did not last, and was terminated in less than a year. Hagelin then started developing new machines from his house in Zug, using two engineers: Lindmark – the primary engineer of the Stockholm factory – and Oskar Stürzinger – Gretener's main engineer – whom he had been able to lure away.

For the time being, new machines, like the C-52 and CX-52, were developed in Switzerland and manufactured in Sweden. In 1952, Crypto AG was officially opened, with Oskar Stürzinger and his wife Emmy as the first two employees. Over the next couple of years, additonal buildings were added and in 1956 Sture Nyberg moved with his family from Stockholm to Sweden to become the new plant manager in Zug. In 1958, the old AB Cryptoteknik in Sweden was officially liquidated.

In the following years, business went well for Crypto AG. The new CX-52 was well-received and sales figures were on the rise. Boris's son – Bo Hagelin jr. – would soon move the USA to handle sales in North and South America. By 1966, the premises in Zug would have become too small.

The legal construction in 1952
In 1950, before the launch of Crypto AG, a complex company ownership structure was created, to avoid (or evade) the most burdensome taxes. The diagram below shows how this was done. The new Swiss company Crypto AG was owned by a holding in tax paradise Principalty Liechtenstein, under the name Anstalt Europaeische Handelsgesellschaft (AEH), the legal owner of which was initially Anstalt Domar, a legal entity of the Liechtenstein law firm Marxer and Goop.

Ownership was in bearer shares, which were transferred, immediately after creation, to Hagelin's Nymphen Stiftung, using a so-called Blanko Zession (blank form), a creation of Marxer and Goop that would hide the actual ownership. The public would think that the owner of AEH was Anstalt Domar, but in reality the shares had been transferred. Any questions about the ownership, would be deflected by Marxer and Goop who, being a law firm, did not discuss the affairs of its clients.

CIA logo

The SPARTAN program
Retirement plans   1952
When Hagelin opened Crypto AG in 1952, he was already 60 years old. He had planned to retire in 1957, when he reached the age of 65, and leave the company to his son Bo, but history would decide otherwise. In 1955, after a visit to Hagelin's factory in Zug, Bill Friedman suffered a heart attack. He retired in August of that year and Hagelin lost his valued friend and prime NSA contact.

The relationship between Boris and Bo deteriorated. Bo appeared to be homesick and his new American wife was not liked by the Hagelin family. Furthermore he was spending far too much money. The situation was worsened by a dispute over the new CD-55 pocket cipher machine, of which both Hagelin's claimed the invention. Hagelin fell out with his new NSA contact, Dr. Shinn, and in 1957, Bill Friedman had to be recalled from retirement to reopen the negotiations.

Ready to sell   1957
At several moments in time, Hagelin had contemplated selling his company. He had established a good working relationship with Siemens in Germany, he was tired of the relationship with his son Bo and, more importantly, he was tired of the restrictions imposed by the Americans, the French and probably also the Swedes. In the meantime, stocks of the new CX-52 machine kept piling up, to the point were, in 1957, he decided to covertly start selling the machines to denied countries:

Sales of 347 CX-machines to denied countries in 1957

This was the year in which he had intended to retire, and on Friedman's visit to Zug in September 1957, he told him that he had two options: (1) handover management of the company to his son Bo, or (2) sell out to Siemens, neither of which was very attractive. Friedman reminded him of a third option, discussed during the 1953 and 1955 negotiations: sell out to the Americans.

Although Hagelin initially rejected the idea, he later asked Friedman to broach it with American authorities. Friedman wasted no time and immediately wrote a proposal, but the idea met with fierce opposition within NSA. It wasn't worth the risk and there were good prospects for breaking (at least some of) the CX-traffic anyway. Friedman crusaded for months, but John Samford – the new DIRNSA who had taken over from Ralph Canine in late 1956 – was not very fond of him.

Licencing agreement with CIA   1960
In Washington, the matter was discussed between the NSA and the CIA, and negotiations about 'The Hagelin Problem' were started. But then, in May 1958, NSA abruptly opted out and turned all its files over to the CIA, where the matter was handled directly by Director Allen Dulles, DDP Richard Bissell and General Councel Lawrence Houston. The NSA – and therefore also Friedman – were no longer in the loop. Friedman made one final official trip to Switzerland, on 8 June 1958, to explain matters to Hagelin and to introduce him to the new CIA negotiator: John Ferguson.

John Ferguson was an American lawyer who lived in Paris (France). He quickly put a deal together, in which the CIA would covertly purchase the company for US$ 2,000,000, with annual payments of US$ 50,000 for at least five years. The money would be channeled to Boris Hagelin through a Swiss company that had been setup for this purpose — Pan European Corporation (PEC).

The proposed buyout by the CIA in 1959 that didn't make it

A German entrepreneur, Eric Warburg, was hired to setup an overt company that would act as the ostensible owner, although in reality, PEC (i.e. CIA) would be the owner. Boris Hagelin would effectively retire and receive an annual fee for consultancy. Despite the NSA's earlier objections, they agreed with the purchase (although they had opted out, the CIA still needed its consent). After the deal would be signed, both Hagelin and Friedman would be out of the picture, and Sture Nyberg – whom Hagelin preferred over his son Bo – would become the new managing director.

But it was not to be. In mid-1959, accountants concluded that the firm's value was less than the anticipated US$ 2,000,000, and that new calculations had to be made. In addition, NSA — where the pros and cons were equally divided — again opted out of the purchase on 6 October 1959.

In the end, the CIA went for a simpler solution: a licencing agreement, in which Hagelin remained the owner, but sales to certain listed countries were prohibited. Basically the same as the original Gentleman's Agreement, but in writing. Hagelin could sell anything to all NATO countries plus Switzerland and Sweden, and the rest was subject to a chart that was attached to the agreement. Eric Warburg was no longer needed, but PEC was kept to allow money to be channeled to Hagelin.

Hagelin would get US$ 600,000 as compensation for lost sales, plus an annual fee of US$ 75,000 for consultancy for as long as the agreement lasted, which was at least 5 years with an automatic renewals for one year (after 1965). After 1975, the renewals would require the consent of both parties. On 10 November 1960, after numerous objections by the NSA, the licencing agreement between Hagelin and the CIA was finally signed. The project was given the cryptonym SPARTAN.

The start of the SPARTAN program coincided with a dramatic increase of sales at Crypto AG, as shown in the diagram above. By 1963, the premises in Zug had become too small and a large new building was erected in nearby Steinhausen. It was opened in 1966 and housed 180 employees.

Renewed licence   1963
Many of the new sales were in Latin America. Hagelin had always assumed that these countries were not on the proscribed list, but when in 1960 NSA admitted that they were very sensitive to sales in that area, Hagelin stopped supplying secure machines to these countries. He stopped advertising the CX-52 below the Mexican border, and managed to persuade Brazil — who had purchased CX-52/RT machines 1 — to swap them for the exploitable (readable) CX-52-M-27.

Additional compensation for Hagelin, following stricter NSA guidelines in 1963.

In 1963, NSA requested a modification of the agreement, in order to impose more stricter guide­lines on equipment sales. The CIA compensated Hagelin for the additional loss in sales, in four installments, as shown in the diagram above. In addition, the CIA payed US$ 10,000 per year for sales efforts into countries that might be unprofitable, but which the NSA would like to see using exploitable equipment. NSA and CIA finally agreed to rewrite the instruction manuals for the machines, so that different customers would get a different understanding of secure operation. 2

By 1969, only Argentina was using a machine that was invulnerable to cryptanalytic attack. It is unclear which machine this was, but it seems likely that it was a CX-52 or perhaps a CX-52/RT — a one-time tape machine (OTT) — which is unbreable when used properly. Crypto Museum can confirm that it has found such machines in South American countries like Uruguay and Argentina.

  1. RT or Random Tape machines, use the One-Time Tape principle and are theoretically unbreakable.
  2. It had previously been arranged with NSA – as part of the Gentleman's Agreement – that NSA would write the (manipulated) 'manuals for proper use', but this had never happened.

The age of the shift-register   1964
By the mid-1960s it became clear that the days of the mechanical cipher machines would soon be over, and that electronic shift-registers would be the way forward. A shift-register — roughly the electronic equivalent of a cipher wheel — is filled with random bits (the key) and then used to create a virtually infinite random stream of bits – ones and zeros – in a seemingly random order.

The diagram above shows a simple 16-stage shift-register. On each step, the contents are shifted to the left by one position, producing an output bit at the left, and a vacant position at the right. The vacant position is then filled by taking the bits from carefully selected positions, and adding them together (modulo-2). This way, complex tapping schemes and combined shift-register circuits can be used to create complex Linear-Feedback Shift Registers (LFSR) — later also Nonlinear-feedback shift registers (NLFSR) — resulting in complex crypto algorithms [17].

Example of a complex shift-register that was used in the contemporary British BID/610.

In 1965, it was decided that Crypto AG should make the move to fully electronic cipher machines based on shift-registers, as otherwise the company would lose business to other – unreadable – manufacturers. It would make the NSA's cryptanalytic problem much bigger, but NSA's Peter Jenks figured out a way to make a shift-register that looked random from the outside, but was in fact exploitable. Dedicated machines for breaking shift-register algorithms would have to be built, at some considerable cost on the part of the NSA, but it would certainly be worth the effort.

The improved CX-52M   1965
Jenks first tried his idea on the existing (mechanical) CX-52. The machine could be set up in such a way that it produced a short cycle length (period), which was easy to break. Jenks 'improved' the cycle length, albeit with a predictable pseudo-random motion that he could successfully attack. Hagelin knew that this was the case, but kept his mouth shut, and Crypto AG advertised it as the more secure CX-52M variant, which customers immediately started ordering in quantities.

The same could be done with shift-registers, but to make it work, the NSA would have to design the cryptologic. And so it happened. Crypto AG developed its first electronic cipher machine — designated H-460 — and NSA developed the cryptologic for it, which was ready in March 1965. But at Crypto AG, the project than ran into trouble, as we will see in one of the next chapters.

The SPARTAN bonus   1966
The licencing agreement passed its five-year point in 1965 without any serious problems. By 1967, the SPARTAN program had exceeded the CIA's and NSA's wildest expectations. It had changed from a simple denial operation 1 into a full active measures operation. Not only did the CIA control to which countries readable equipment was sold, but by designing the cryptologic for the next generation of (electronic) machines, NSA had provided a mechanism that allowed CIA to insert exploitable machines anywhere in the world. This was a completely unexpected bonus.

  1. A denial operation is a theoretical framework, in which certain information and/or techniques are kept from certain organisations or individuals. In this context it means that certain secure (unreadable) cipher machines were kept from certain countries.  Wikipedia

Combined CIA, BND and Crypto AG logos

The MINERVA purchase   1967-1970
The French connection   1967
Although the relationship between Hagelin and the CIA became closer by the year, there were also threats. On 29 November 1966, Boris' wife Annie had died, and CIA was afraid that he might soon retire. It would therefore be wise to reconsider the agreement sooner rather than later.

But the French were about to throw a spanner in the works. On a visit to Paris in early January 1967, Hagelin was approached by André Mueller of the French cipher service, who wanted to buy Crypto AG on behalf of the French and German governments. Mueller had spoken with Erich Hüttenhain — the head of the German cryptanalytic service ZfCh — who had given him the green light. Money was no object, and the US and UK interests (NSA, CIA, GCHQ) would be taken care of.

On 23 January 1967, an agitated Boris Hagelin called his CIA case officer, requesting an urgent meeting. He informed him about the French proposal. CIA officials subsequently contacted Sture Nyberg – effectively the managing director of Crypto AG – who confirmed that Dr. Wilhelm Göing, Hüttenhain's deputy, had made the same offer two months earlier. It seems likely that Hagelin had a side deal with the French, that dated back to the sale of 5000 C-35 machines in 1936 [2].

The German approach   1967-1969
The American agencies CIA and NSA had a good relationship with their German partners, the Bundesnachrichtendienst (BND) and the Zentralstelle für das Chiffrierwesen (ZfCh), that dates back to the days following WWII. In 1962, the NSA and the British GCHQ had established a presence in Germany – the Combined Group Germany (CGG) – but its role was limited to the exchange of intercepted traffic and product reports. So, the CIA hestitated and hestitated.

Hagelin, who wanted the Americans' consent for a deal between the French and Germans, also delayed. But in October 1967, during a visit to the ZfCh in Bonn, Nyberg was informed by Erich Hüttenhain that everything had been settled. The Germans had the money and all arrangements had been made to purchase the company from Hagelin for 25 to 30 million Swiss francs. 1

But it was not settled. The Americans had not been informed and Hagelin was asked to broach the subject with the CIA himself. He hesitated, as he knew the Americans wouldn't like it. Nothing happened during 1968, but in early 1969, Hagelin began pressing the Americans for a decision. Shortly afterwards, Wilhelm Göing – who was about to become the next head of ZfCh – flew to Washington with a proposal. It involved the well-known German technology giant Siemens, who would become the apparent owner. The purchase would be financed by French and German intelligence. The question now was: were the Americans interested in becoming partners as well?

  1. About US$ 7 million.

The American decision   1969
NSA liked the idea of bringing Siemens in, but didn't want any French involvement. In addition, they saw nothing more than a technical role for NSA, so, in March 1969, ZfCh was informed that NSA was not interested. Messages went back and forth between Germany and the US. The CIA liked the idea of being able to supply controlled cryptography to certain countries, but the NSA did not want any involvement. It was suggested that the Germans should proceed on their own.

In September '69, Hagelin informed his CIA case officer that Hüttenhain (ZfCh) wanted to proceed with the purchase, which prompted the NSA to reconsider its position. It agreed to work with the CIA and the Germans, to buy Crypto AG for US$ 7 million, for an equal partnership with the German BND. CIA and BND would each pay US$ 3.5 million, and the French would be shut out.

Siemens – by now firmly under control of BND – would act as the ostensible owner. French and Swedish intelligence services would be informed, but should think that Siemens was the owner. 1
Boris Hagelin after his retirement (photograph taken on his 80th birthday on 2 July 1972) -- Crypto Museum collection CM-303151

But there was one more hurdle to be taken. The BND was unable to pull the necessary cash from its modest operating budget, and were reluctant to inform the country's politicans about the clandestine deal. So, it asked Siemens to come up with the money and become a 50% owner. But in December 1969, Siemens got cold feet and backed out of the deal. Luckily, when BND briefed the Chancellor's intelligence coordinator, the latter became estatic and raised the required cash.

  1. The Swiss were not informed (to allow for plausible deniability). It was assumed however, that they would be informed by Hagelin himself.

The MINERVA sale   1970
The actual sale was made on 4 June 1970, the day on which the shares of the company were passed to the BND, for a total amount of CHF 25 million (~ US$ 7 million). And the agreement with the CIA was contained in a memorandum of understanding of 12 June 1970. To hide the actual ownership from public view, a complex scheme of companies and fiduciaries was used.

Hagelin received his CHF 25 million in three installments: one with the sale on 4 June 1970, and two further ones in the next two years. He had remarried in 1969, and insisted that a pension be provided for his wife Elsa 1 after his death. BND and CIA were now the joint owners of Crypto AG.

Ownership of the company was in barer shares, that were deposited in the Schweitzerische Kreditanstalt (now: Credit Suisse) under the name of Deutsche Treuhand Union (DTU), a German feduciary. Originally there were 3000 shares that BND had obtained from Hagelin, but this was increased to 4500 in 1977 and to 6000 in 1978, probably to inject additional capital for new developments. DTU board members voted the majority of the shares on behalf of the owners. 2

The new partners – BND and CIA – decided to call their joint project THESAURUS (treasury), but changed it to RUBICON (point of no return) in 1987. Crypto AG itself would be called MINERVA. In order to establish or change the policy of the company, the partners held periodic conferences in which the course of action was determined. These were in fact covert board meetings.

  1. Elsa Hagelin (née Svensson) had been the nurse of Hagelin's late wife Annie.
  2. The names of the representatives are known, but we have chosen not to disclose these.

Click to see more

The Siemens legend
Although Siemens had backed out, and did not become the actual owner of the company, the BND required its cooperation. It was decided that Siemens would provide a so-called Beirat – an external advisory board – that would assist Crypto AG with new developments. The BND could then influence designs and algorithms through its Zentralstelle fur das Chiffrierwesen (ZfCh).

Furthermore, it was agreed that Siemens would act as a legend, in case the actual ownership of the company was ever questioned. Should it ever be necessary, Siemens could pretend to be the owner, which was credible given the fact that it provided assistence through the Beirat route.

The legal construction in 1970
The diagram below shows how it was done. In a secret agreement of 1 June 1970, the Bundes­vermögensverwaltung (BVV), 1 transfered the money to the Deutsche Treuhand Gesellschaft München (DTG-M) — today known as KPGM. The Founder's Rights of AEH were sold for cash by Hagelin's Nymphen Stiftung to DTG in a sales contract dated 2 June 1970. The Nymphen Stiftung then transferred its Founder's Rights to Anstalt Domar – Marxer and Goop's creation that acted as the ostensible owner – who then issued a Blanko Zession 2 to DTG. These were the barer shares.

DTG passed the Blanko Zession on to the BVV, which acted as a cover for the BND. The BVV then gave the Blanko Zession to the BND. This way, no one, not even the law firm Marxer and Goop was aware that the BND was behind the deal. DTG was the fiduciary and the ostensible owner as far as Marxer and Goop was concerned. And BVV was the owner as far as DTG was concerned. On 12 June 1970, in a memorandum of understanding, the BND transferred half the shares to the CIA so that no one, not even the Deutsche Treuhandgesellschaft, was aware of any CIA involvement.

Ownership of Crypto AG in 1970. Move the mouse over the diagram to reveal the codenames.

At the BND, the project was handled by the 4th Directorate, 3 under which the German cipher authority ZfCh resided. The ZfCh delivered input to Siemens who, through its Beirat, influenced the products and cipher algorithms of Crypto AG. All under direct control of the German BND.

In the US, things were slightly more complicated. Although the CIA owned 50% of the company, codebreaking was the responsibility of the NSA, so there had to be some level of cooperation between the two services. NSA developed readable algorithms, which were then passed by the cover company Intercom Associates to Motorola, where they were implemented in new products that they (Motorola) developed on behalf of Crypto AG. All under indirect control of the CIA.

  1. The Bundesvermögensverwaltung (BVV) is roughly the equivalent of the American General Services Administration. The BND frequently used (and uses) the BVV for secret and covert transactions.
  2. Blanko Zession (blank form) was a creation of the Liechtenstein law firm Marxer and Goop (later: Marxer and Partner), that was used for Anstalten (institutions), rather than stock companies. The Blanko Zession stated who the initial owner was, and had a blank space for a potential new owner. In reality, the blank space was never used and only the barer shares constituted ownership.
  3. At the time of the sale, ZfCh was an independent body under Directorate II of the BND, but in 1973 is was placed under direct control of Directorate IV of the BND, which also handled Project THESAURUS (RUBICON).

Hagelin - the Swiss Army Knife of Cryptography

The new owners   1970
Influencing algorithms
The new CAG-owners – BND and CIA – now had a grip on all products that were developed both externally and internally. The diagram below shows how this was done. The BND could, through the ZfCh, influence Siemens, who would then, through the Beirat, influence Crypto AG. The CIA talked with the NSA, and both supplied experts for the cover company Intercom Associates, which offered its expertise either directly to Crypto AG or indirectly, through Motorola developments.

Influencing of the cryptographic algorithms

There are several accounts from former Crypto AG personnel that the company had frequent visits from Intercom Associates people, including NSA's Nora Mackebee, who – in addition to the Beirat – advised the developers on subjects like cryptographic algorithms [3].

After the sale of Crypto AG had been completed in 1970, Boris Hagelin took a step back and retired at the age of 78, thirteen years later than anticipated. At the same time, Sture Nyberg, who had been the plant manager for many years, became the new CEO. He had effectively been running the company for the past 10 years anyway, and knew who the real owners were.

Nyberg retired in 1975. He was a leftover from the Hagelin era — he came from the factory in Stockholm — and was clearly growing old. He was replaced by Heinz Wagner, a young up-and-coming manager who had been recruted from the ranks of Siemens. He had no experience with crypto whatsoever, but was dynamic, charismatic, good looking and decicive. When he walked into a room, all heads turned towards him. After a technical training at the NSA in the fall of 1975, he assumed command on 1 January 1976. He would stay on for the next 13 years, and guide Crypto AG through the most profitable and eventful years in the history of the company.

Bo's death
Although Boris Hagelin's son Bo would originally have been the heir to the throne, the entire deal with BND and CIA was kept outside his view. The relationship between the two Hagelins had declined so steeply that they were barely on speaking terms. In 1962, Boris had even appointed his plant manager Sture Nyberg as the trustee of his estate. Should he (Boris) die before the company was sold, Nyberg would manage the sale afterwards. Bo Hagelin was not informed.

The CIA didn't trust him either. Despite the help that he had provided to the CIA over the years, Bo was seen by many as a profit-oriented wild card. They were afraid that – once he discovered the true nature of the deal – he might try to derail it or, worse, expose the true owners of the company. But then in November 1970, Bo was killed in a car accident – just five months after the ownership of the company had been transferred – and CIA no longer had to worry about him.

The partners began the relation with handicaps. First of all there was a huge difference in style between the services of the two countries. The BND was a military kind of organisation where everything was orderly done by the book and efficiency was paramount, whilst at the CIA the emphasis was on freedom of action and personal initiative. The Germans were known for their attention to detail, whilst the Americans were inclined to ask forgiveness rather than permission.

There was also a huge difference in the available budget. With the Americans, money never was an object and NSA has a vast array of Cray supercomputers at its disposal. The Germans on the other hand, were on a tight budget. They could not afford supercomputers — at least not until 1985 — and had fewer staff for codebreaking. They had to find other ways to achieve their goals.

In August 1970, NSA representatives visited the Crypto AG factory in Zug, and noticed that it would become very difficult to control the company and its algorithms. Apparently, the engineers made improvements and modifications for virtually any customer who asked. They realised that Operation THESAURUS was not going to be an easy ride, especially not with unwitting employees.

The H-460 debacle   1965-1972
In 1965 it had been decided that Crypto AG should make the transistion from mechanical cipher machines to electronic ones. This was before the MINERVA purchase, during the days of the CIA licencing agreement. The NSA developed the cryptologic, and CAG would develop the machine.

But the development met with obstacles and was delayed several times. NSA developed the first version of a readable cryptologic and delivered it to CAG in March 1965. But CAG-engineers had virtually no experience in developing electronics.

In fact, they barely had any developing skills at all, as in the days of the mechanical machines, most of the design work had been done by Boris Hagelin himself. The new machine — that was to be designated H-460 — gradually progressed over the next couple of years and eventually, in 1970, it was thought to be ready for release.
H-460 cipher machine - click for further information (image kindly provided by Nick Gessler)

When it was announced in 1970, the Italian Army promptly orderd 280 machines. But when the first 82 units were delivered, there were so many problems that they returned all of them. The design was reviewed by the German cryptographic authority Zentralstelle für das Chiffrier­wesen (ZfCh), who hired German technology giant Siemens to partly redesign the machine and fix the technical design flaws. The improved H-460x machine was eventually re-released in 1972.

Later that year, in November 1972, the issue of the H-460 would lead to a conflict between the partners, when NSA refused to tell ZfCh how to break the cryptologic of the H-460 or the T-450, which was the teletype version. NSA's Frank Raven did not want to discuss anything that predated the MINERVA purchase. The matter was partly cleared in the spring of 1973, when Raven finally allowed to discuss the H-460 and T-450 informally, as long as it was not documented.

Click to see more

The 500-series machines   1973-1978
Crypto AG engineers knew that the days of the mechanical cipher machines were over and that a replacement was needed for the ill-fated H-460. They had been working on an electronic shift-register-based cipher machine since 1970, but by 1973 there still was no machine. The partners decided to take over the project and produce a readable machine that would be called HS-4700 1 (later: HC-570). NSA said it could design it six months, but this turned out to be too optimistic.

In mid-1974 it was decided to bring Motorola into the game. Motorola was a technology giant – established in 1928 by Paul Galvin – and was able to provide the microprocessor technology that the project needed. CEO Bob Galvin was approached through the CIA's cover Intercom Associates and the situation was explained. 2

The basic machine had already been developed at Crypto AG. Motorola only had to develop the cryptologic, which would be based on a Motorola 6800 microprocessor in which the NSA-supplied algorithm would be implemented in software.
HC-570, cryptologic developed by Motorola, marketed by Crypto AG. Click for more information.

The development was done by the Government Electronics Division of Motorola in Phoenix. It was agreed that Motorola could use any of the technologies that emerged from the project, and that the US Government would compensate for any losses made during the course of the project. According to the engineers, it was the first time that an algorithm was implemented this way.

Motorola kept its promises and delivered the first prototypes in September 1975, and CAG marketed the first 30 machines in early 1977.

Next, it was decided that a portable variant of the machine was needed, similar to what the hand-held CD-57 had been in the mechanical era. The partners were in a hurry, as competitor Gretag had just announced the small portable Gretacoder 905, and wanted Crypto AG to be able to compete. The partners decided that the new machine – designated HC-520 – would be developed by Siemens in München (Germany).
HC-520 (right), developed by Siemens, marketed by Crypto AG. At the left is the Gretacoder 905 from competitor Gratag. Click for more information.

The HC-520 was an immediate hit, and became particularly popular in South American counties like Argentina. Unfortunately, this could not be said about the HC-570. The machine, which was partly designed at CAG and partly by Motorola, was too complicated to build and too expensive.

As a result, not many were ordered and Crypto AG's sales ran into red figures. It was clear that a suitable replacement for the HC-570 desktop machine was needed as soon as possible.

Siemens came to the rescue. Jointly with Philips, they had just developed a cipher machine for NATO – known as Aroflex – based on its T-1000 teleprinter. Siemens marketed it as T-1000/CA. They allowed the bare T-1000 to be also used as the basis for a new CAG machine, although it competed with their own one. The new machine was called HC-550, and is shown on the right.
HC-550, based on a Siemens T-1000 teleprinter, marketed by Crypto AG. Although similar in appearance to Aroflex, it is entirely different. Click for more information.

The cryptologic of the machine was based on the same Motorola-design with the 6800 micro­processor as the HC-570. It was housed in a slimline black unit, that was bolted to the bottom of the Siemens T-1000 teleprinter, in the same way as it was done with the Philips/Siemens Aroflex. The new HC-550 became one of the most popular models and turned out to be highly profitable. The HC-500-line was complemented by the HC-530, a briefcase version with acoustic modem.

 More about the 500-series

  1. In some documents it is described as H-470 or H-4700 (later renamed HC-570).
  2. They did not tell him that the BND and the CIA actually owned the company, but they led him to believe that Siemens was the owner and that CIA and NSA provided the designs.

Divide and conquer
Part of the arrangement between CIA and BND, was that intercepted traffic would be freely shared between the partners. Each partner was then responsible for its own codebreaking, but CIA never found out how successful the Germans were. NSA sent copies of its intercepts to ZfCh, and that was it. Apparently the output of the codebreaking work itself – the production – was not shared.

In the US, NSA had a vast array of Cray supercomputers 1 at its disposal. With suitable software, they managed to break significant amounts of foreign messages. In Germany, codebreaking was the task of ZfCh, but their budget was limited. Too limited for Cray computers. Nevertheless they were just as successful as NSA, by using clever optimised programming techniques, 2 but these were not shared with NSA. Finally, in 1985, a Cray supercomputer also became available to ZfCh.

It was initially agreed that all NATO countries plus Sweden and Switzerland were allowed to buy secure (unreadable) equipment from Crypto AG. However, as time progressed, more and more countries were taken off the secure list, including Spain, Greece, Italy and Turkey. It was clearly NSA's policy to sell readable equipment to everyone. Germany, on the other hand, supported the two-cryptologics 3 approach — the BND was opposed to selling readable equipment to its allies.

  1. At the time, Seymour Crey developed the fastest computers in the world. NSA bought its first line of Cray computers in 1968, and when Cray later had its own firm, NSA became his largest customer.
  2. According to ZfCh officer HANSEN, ZfCh used a programming technique known as Hypothesenverfolgung (Hypothesis-Tracking) to break ciphers without the need for a supercomputer [9].
  3. This means that two version of the cryptologic were available: readable and unreadable.

Operation Thesaurus was no doubt one of the most successful intelligence projects ever. Crypto AG was at this point the preferred supplier to 80-90% of the world market for cipher equipment. As a result, the diplomatic and military traffic of many third world countries became readable, but also that of several European countries, including Ireland, Italy, Portugal and Spain [9]. By 1977, NSA was reading about 57% of all its intercepted cipher messages. It was estimated that, without the MINERVA production, this would have been about 29%.

CAG sales figures (in million Swiss Francs) and profits (in %)

At the same time, Crypto AG's business was growing rapidly. From the start of the operation, in 1970, the turnover had increased steadily, and by 1975 it had more than tripled. And despite heavy investments for the development of new technologies, the forecasts were promising.

H-460 Crisis   1976
Despite the fact that the ill-fated H-460 machine had been fixed and re-released in 1972, its problems would haunt the company for several more years. Customers kept complaining about the mechanical stability, and there were complaints about the strength of the cryptologic. By 1976, the Italians and Egyptians had discovered its weakness, and demanded an explanation.

CEO Heinz Wagner fended it off with his usual charm. The machines were returned to Crypto AG, where an updated cryptologic — unique for each customer — was fitted, resulting in the addition of a single-digit suffix to the model number, such as H-4603, H-4604, H-4605, etc. Although the algorithm had been improved, the machines were still readable by the NSA, albeit with more cryptanalytic processing power.

 More about the H-460

The 'cryptologic' of the H-460

The Egyptian crisis   1978
T-450 was an online encryption device for teleprinter communications that had been introduced in 1969, in the days before BND and CIA owned the company. It had been developed in parallel with the H-460, and featured a similar (weak) cryptologic. In the autumn of 1978, the Egyptians started complaining about it and demanded a solution. At NSA, Dave Frasier developed a drop-in fix that made it more secure – but still exploitable by NSA – albeit with more computing power.

In the meantime however, unwitting CAG-employee Jürg Spörndli, had developed his own changes to the cryptologic, that made the device completely impenetrable. But this was not wat the NSA wanted, of course. The event led to an internal crisis at Crypto AG, but in the end, the NSA won the argument and their modified (readable) cryptologic was delivered to the Egyptians.

 More about the T-450 crisis

HC-500 Crisis   1979
In February 1979, less than two years after the introduction of the HC-500 series, CAG-employee Jürg Spörndli, discovered that it was possible to break the machine with just 100 characters of known plaintext, probably after attending a seminar by American mathematician Martin Hellman. Although theoretical, it proved that the cipher was prone to a known plain-text attack (KPTA).

To Crypto AG it was bad news, as the company couldn't afford another debacle after the H-460 crisis. In two years time, the HC-500 series had become Crypto AG's flagship, of which more than 1700 had already been sold worldwide.

The original algorithm had been developed by NSA's Peter Jenks, and was intended to last for at least 20 years. But CAG's Jürg Spörndli had now exposed a weakness, which urgently needed to be fixed before customers discovered it them­selves. At NSA, Dave Frasier designed a drop-in fix that would defeat the known plaintext attack.
Replacement ROMs soldered to the reworked processor board

The revised algorithm was considerably more difficult to break by NSA and ZfCh, but the effort was worth every penny. For the HC-520, the drop-in replacement consisted of three ROM chips that had to be soldered onto the processor board, in place of the existing ones, which required the boards to be reworked by a skilled engineer. The image above shows the replacement ROMs. A few months later, mid-1979, Peter Jenks died of cancer and Dave Frasier committed suicide.

In June 1979, the Argentine Navy discovered 1 the weakness themselves, and demanded an immediate explanation. They summoned the CAG CEO – Heinz Wagner – to Buenos Aires, and confronted him with it. Wagner, afraid of being thrown off an airplane, 2 immediately offered the NSA-fix. They accepted it, but what the Argentines really wanted, was the ability to attack their neighbouring countries, and the promise that CAG would not tell them about the vulnerability.

  1. The CIA suspected that Peter Frutiger (see below) – a disaffected former employee – might have tipped them off, but this was never proven.
  2. This refers to the so-called death flights during the Argentine Dirty War (1974-1983), in which dissidents and enemies were dropped to their death from aircraft above the ocean.  Wikipedia

More crises
In parallel with the Egyptian crisis, a problem emerged with the MCC-314, a bulk encryptor that had been co-developed with ZfCh around 1967. It contained a readable algorithm that had been developed at ZfCh. In late November 1978, during a visit to Belgrade (Yugoslavia) two (unwitting) CAG people were shown a Yugoslav solution 1 to the machine. Shortly afterwards, in December 1978, two NSA people flew to Frankfurt (Germany) with a suitable fix, but to their surprise (and shock) they discovered that CAG engineers had already provided their own fix to the customer.

And there were more problems — for example with Austria, Argentina and South Africa — and they were all about the weakness of the cryptographic algorithms. It was clear that more secure and sophisticated crypto-algorithms were needed, but with the untimely death of the two most important NSA cryptomathematicians – Peter Jenks and Dave Frasier – this would not be easy.

  1. In cryptanalysis, a solution means that the cipher can be broken.

Although CAG-personnel was unwitting about any BND/CIA involvement, many of them became suspicious over the years. This was especially the case with engineers and mathematicians, who developed proper unreadable algorithms, and were then told by management that it had to be replaced by an alternative algorithm, that came from an external party. In most cases it was clear to the CAG-engineers that the alternative algorithm was weaker than the one they had designed.

Jürg Spörndli
One example is Jürg Spörndli, the CAG-engineer who had fixed the weak algorithm of the T-450 back in 1967, much against the will of the NSA. He was also the person who had discovered that the HC-500 machines were vulnerable to a known plaintext attack. Spörndli was suspicious of involvement of the intelligence agencies and would frequently appear in the press in later years.

Peter Frutiger
Another example was head of Crypto AG's R&D department – Peter Frutiger – who is also listed as (co)inventor on several CAG patents. Frutiger wanted the best for his customers and would always try to fix a weak or broken algorithm if he deemed it necessary. It caused CIA to find him disloyal.

In 1974, he fixed the algorithm of the MCC-314 — a bulk encryptor — after the Austrians and Yugoslavs had discovered a weakness that had been inserted by ZfCh. And in late 1976, NSA found out that he had also improved the crypto­logic of the rigged CSE-280 voice encryptor.

The CSE-280 voice encryptor was a true digital encryption device (not a simple voice scrambler), that was used by the Syrian Army. And when the Syrians discovered that it had a weak cryptologic – which had been inserted by ZfCh – Frutiger was only too willing to replace it with a secure one.
CSE-280 in metal frame

But Syria was also a high-valued NSA target, and now — with the Frutiger modification — NSA was no longer able to read the Syrian traffic. It caused Frutiger to get fired by CAG CEO Heinz Wager on 10 March 1977 — much against the will of NSA and CIA. 1 In the following years, he would hount Crypto AG like a recurring bad dream, which could barely be fought off.

  1. NSA was against firing Frutiger, as they believed a disaffected employee could become very dangerous for the MINERVA secret. They even tried to find him a different job (unknown to Frutiger), but without success.

On 15 February 2020, a few days after the revalation of Operation RUBICON, Peter Frutiger gave an interview to NZZ am Sonntag, in which he claims that he was fully witting of the project, and had actively been cooperating with CIA and NSA during his time at Crypto AG. He also claims that it was his own decision to leave Crypto AG as he had conscientious objections and no longer wanted to support the rigging of the cipher machines [25].
Mengia Caflish
In early 1978, shortly after R&D chief Peter Frutiger had been fired, CEO Heinz Wagner hired Frau Dr. Mengia Caflisch. She was a bright young engineer. But she was too bright, as far as NSA was concerned. Soon after her arrival, she broke the new HC-500 cryptologic – the one that NSA had just fixed – and went on to expose weaknesses in other CAG products. And it wasn't before long, that she began developing her own – unbreakable – cryptologics.

Caflisch developed the HC-740 data encryptor, which had an impenetrable cryptologic. By the time NSA found out, late 1978, they quickly developed a drop-in chip that would make the device readable, but it was already too far down the production line to halt it. 50 Unreadable units were produced, but because they were going to be sold to banks, it was not considered a problem.

The era of ATHENA
After Peter Frutiger dismissal, the R&D department was wildly out of control. It was clear to the partners that a suitable replacement was needed — a witting one this time. After endless battles between CIA and BND – in which each one rejected the other's candidate 1 – they finally settled for another Siemens man, codenamed REX. 2 But REX was not up to the job. Although he was an affable and capable engineer, he was unable to handle the secrecy that surrounded the project.

REX became nervous and was unable to fight off angry customers and suspicious employees, and soon developed a drinking problem. And after an alcohol-related traffic accident, he eventually got fired as well. He was replaced by ALTER, again a man who had been recruted from the ranks of Siemens. But like REX he was not up to the job. According to the partners, ALTER was not much more than a non-alcoholic REX. Nevertheless he was systematic and well organised.

  1. Actually there were two other candicates that were briefly hired – codenamed CLAPPER and BUTCHER – but as their contribution to the R&D department was next to non-existent, we have omitted them here. CLAPPER stayed on with Crypto AG in a different capacity, and BUTCHER left the company.
  2. REX was the CIA/BND cryptonym for Sigmar Horst-Joachim 'Mickie' Grützmann. His familiy appeared in an interview by Swiss broadcaster SRF on 12 February 2020 [/].1

The arrival of ATHENA
It was clear that REX was unfit to handle the difficulties involved in creating hidden backdoors. So the partners kept searching for a person with sufficient mathematical background, who was not opposed to the idea of making CAG equipment readable to Western intelligence. And with help from Swedish intelligence FRA, they eventually found a young Swedish mathematics professor.

The new man was accepted by all services — NSA, CIA, BND and ZfCh — and, more importantly, by the staff and engineers at Crypto AG. He moved to Switzerland with his family and would stay on for the next 15 years. He did not become head of R&D but instead was given an independent status as scientific advisor — in fact the company-cryptomathematician — who reported directly to the CEO. The CIA assigned him the codename ATHENA — the goddess of wisdom (and war).

ATHENA went along well with everyone. For the CAG engineers he was a respected academic of name and fame, and for NSA and ZfCh he was a knowledgeable partner, who knew what he was doing. But ATHENA was also a man of principles. He was an independent thinker, and if he didn't want to produce readable equipment for a certain customer, he simply refused to do so. He also insisted that he be allowed to share all MINERVA technical secrets with the Swedish FRA. 1

Soon after ATHENA entered stage, the problems with the 500-series emerged again. This was not unexpected, as the NSA fix of 1979 had only been a gap-fill solution. ATHENA immediately recognised the weaknesses in the algorithm, and started the development of a solid replacement.

ATHENA appeared to be the right man for the job. He openly discussed the weaknesses with customers, and told them that the cryptologic had been developed long before he had entered the firm, but that he would now fix them. It gave them enough confidence to stay with Crypto AG.
Replacement ROMs soldered to the reworked processor board

The 'improved' cryptologic was released in 1981. From then on, all new HC-500 machines were equipped with the ATHENA-algorithm, which appeared to be secure from the outside. It was able to withstand an advanced known plaintext attack, but was in reality just as exploitable as before.

When Chile complained about the weak CAG cryptologics, ATHENA was afraid that they were just inches away from breaking their own HC-500 machines. But when they threatened to buy Datotek equipment, ATHENA argued that Datotek would not be able to obtain an export licence. 2 He also promised to provide them with a more secure cryptologic, that would be made exclusively for them. They believed him and accepted the offer. And thus the Chileans stayed with Crypto AG.

  1. Sture Nyberg – the CAG CEO from 1970-1975 – had also made this a condition of his cooperation.
  2. He could say that, because he knew he would be backed by the approving authority at NSA.

The Argentine crisis
In 1982 the Falklands War broke out, an undeclared 10-week war between Argentina and the UK over two British-controlled territories in the South Atlantic: the Falkland Islands [18]. During the conflict, the Argentines relied on foreign encryption equipment for their secret communications.

This included the HC-570 and HC-520 systems that Crypto AG had fixed in 1979 and again in 1981, and which they had trusted to be secure.

But after the war, the Argentines discovered that their systems had been broken by American and British intelligence services. They were furious, and ATHENA was summoned to Buenos Aires to explain. It appeared that the Argentines had been using two analogue voice scramblers: the Datotek DC-505 and the Crypto AG CRM-008. Although the latter was significantly better than the Datotek one, both were inherently insecure.
Datotek DV-505

ATHENA decide to bluff: they had broken the voice systems, but as these were based on analogue technology, there were notoriously insecure. The HC-500 machines on the other hand, used true digital encryption, and were absolutely secure. They had definitely not been broken by the NSA. 1

After a long debate, the Argentines accepted the explanation and kept buying (rigged) Crypto AG equipment. ATHENA had saved the day again.

In North Africa, the Egyptians kept complaining about the supposed insecurity of their Hagelin systems. But when ATHENA questioned them, they criticised design features that had nothing to do with security, so he knew they were just guessing. But the suspicions remained, and in the end the Egyptians decided to buy equipment from the Austrian company Mils Electronic, not knowing that those were not secure either... 2
Crypto AG's CRM-008 (HC-235) as used by the Argentine Navy

In the early years, ATHENA had to fight two wars simultaneously: he had to convince customers that the Crypto AG systems were secure, whilst at the same time deceive his own colleagues. He re-engineered the (unreadable) cryptologics that had been made by his colleagues before his arrival, but explaining them why this was necessary, was the most demanding part of his job.

  1. Unknown to either of them, NSA had refused to help the British. Instead it was the Dutch Navy who shared its ability to read both Datotek and Crypto AG systems, allowing GCHQ to break the ciphers themselves.
  2. At the time, the equipment from Mils Elektronik was controlled by the German BND (later by the CIA) [1][6]. It is currently unclear how (and if) BND/CIA were able to influence the algorithms, as most of the equipment was based on the unbreakable One-Time Pad system which is inherently secure. It is likely that this refers to early algorithm-based cipher equipment.

10 year anniversary   1980
Although the crises would not be over any time soon, business was going well. Around 1980, Crypto AG had a cash reserve of no less than US$ 20 million. BND used much of its share to finance other operations. All from MINERVA. In 2004, a CIA historian summarised it as follows:

In fact, the operation was so successful, that by the end of the decade (1980), NSA was reading 82% of the traffic that came from original mechanical Hagelin machines, like the C-36, M-209, C-446 and C-52. In addition, they were able to read 50% of all CX-52 traffic. But of the electronic machines — that had been influenced by the Germans and Americans — NSA could read 96% of the intercepted traffic. Without MINERVA, this would have been more like the 7% on new Gretag machines. But apart from Gretag, most crypto-manufacturers were now firmly under control.

Boris Hagelin dies   1983
By 1982, the company's founder – Boris Hagelin – was enjoying his retirement, and divided his time between Switzerland and Sweden. He had left the company 10 years earlier, and would soon become ninety. For the occasion he travelled to Sweden, where much of his relatives still lived.

In Sweden he caught a cold that was so bad he had to be hospitalised near Malmö. He appeared to be near death, and his family was afraid that he would eventually die in Sweden, and that they might then be liable to pay (high) taxes over the estate in Sweden. So, at the slightest sign of improvement in his condition, they rushed him onto a waiting airplane, and back to Switzerland.

In the meantime, the CIA feared a repeat of the problems of 1969, when William Friedman died. Friedman left his library (and correspondence) to the Marshall Foundation, and in 1982, author James Bamford wrote a book that was partially based on the correspondence between him and Hagelin. It prompted NSA to remove sensitive material 1 from the Marshall Library immediately.
From left to right: William Friedman, Annie Hagelin, Elizebeth Friedman and Boris Hagelin. Image kindly provided by the National Cryptologic Museum (NMC) in Fort Meade [20].

In February 1982, with the help of Hagelin's second wife Elsa, CIA searched the study of his house in Zug, 2 and removed anything that could link him to Friedman and/or the American intelligence community. The evidence was taken to Langley, where it remains to this day [1]. Hagelin never fully recovered and died the following year – on 7 September 1983 – at the respectable age of 91.

  1. Some of the material that NSA confiscated from the Friedman estate, was released to the public in 2014, albeit in a heavily redacted form [19]. Our story about The Gentleman's Agreement is based on it [2].
  2. With Hagelin's consent.

Shuffling the cards   1987
In the fall of 1987, the name of the covert operation – THESAURUS – was changed to RUBICON. Towards the end of the 1980s, the profits of the company started dropping, whilst the running costs increased every year. It prompted the CAG CEO to consider entering the commercial market.

After all, competitor Gretag had successfully been selling into that market for years. Initially, the partners didn't like the idea, but when in 1987 Gretag appeared to be considering a buyout by Swiss communication equipment manufacturer Ascom AG, they reconsidered.

In order to block-off Gretag, they gave CAG the green light for a partnership with Ascom. A new company was founded – InfoGuard – in which the joint venture would take place. Owned by both companies, it was housed across the street from CAG, and was largely staffed by CAG engineers.
Crypto unit (HC-3452) made by Crypto AG

Although the commercial market was not regarded as an intelligence target, CIA argued that it might become one in the future, particularly in the view of international terrorism. It was decided that InfoGuard would sell crypto-enabled radios that were manufacturered by Ascom's subsidary Radiocom, and that they would contain Crypto AG's (readable) HC-3400 drop-in crypto chip.

It didn't work as expected, and InfoGuard turned out to be anything but a profit maker. And there were other failed attempts to set up partnerships, such as with the Australian company RanData, and with SAGEM in France. The partners felt that, after 14 years of service, it might be wise to replace the CEO. Heinz Wagner left the company at the end of 1988 and was replaced by Michael Grupe – 48 years old – who had been plant manager at the Osram light bulb factory in Greece. 1

Michael Grupe did not hit it off very well. He appeared to be stiff-backed and did not have a good relationship with his staff, including cryptomathematician ATHENA. In fact, the situation got so bad that, in October 1989, a group of 20 employees sent a 'Letter to the Tsar' to the CAG board. The letter had not been signed by ATHENA, but that didn't make it any better than did the letter.

Click to see more

Under Grupe, the joint venture with Ascom was cancelled, 2 and InfoGuard became a full CAG subsidary again. But even with a new CEO, the financial situation did not improve. There was a wordwide recession going on, and many governments had started to develop their own crypto equipment. 1987 had been the first year without a profit, and the forecasts were not very good.

But there was also good news: after the collapse of the Soviet Union, the former Eastern Bloc countries had become a new sales target, as they no longer wanted Soviet cipher machines. It would not be possible (yet) to sell them NATO equipment, but everything else would be fine.

  1. At the time, the Osram light bulb factory in Greece was a subsidary of Siemens.
  2. After this, Ascom continued to sell radios with CAG crypto chips though.

Targets of the 1980s
Although per initial agreement all NATO countries would have access to secure equipment, the NSA kept removing NATO countries from the secure list, including Greece, Italy, Spain, Portugal, Turkey and even Belgium. By the late 1980s, their target list 1 included the following countries:

  • Africa
  • Algeria
  • Argentina
  • Belgium
  • Brazil
  • Chile
  • Egypt
  • Greece
  • Indonesia
  • Iran
  • Iraq
  • Italy
  • Jordan
  • Kuwait
  • Lebanon
  • Libya
  • Malaysia
  • Mexico
  • Morocco
  • Pakistan
  • Phillipines
  • Portugal
  • Saudi Arabia
  • South Korea
  • Spain
  • Syria
  • Tunisia
  • Turkey
  • Vatican
  • Yugoslavia
Until the mid-1980s, Turkey had been using a One-Time Tape (OTT) cipher known as CPPM 2 for the encryption of its diplomatic messages. Because it was used incorrectly, it was readable, and had been a great intelligence source for Western and Eastern Block intelligence agencies alike.

But Turkey knew that their CPPM system was vulnerable and was looking for a replacement.

In 1982, the Dutch firm Philips had introduced Aroflex, a secure cipher machine that had been developed with Siemens, exclusively for NATO. A civil version was sold by Siemens as T-1000/CA, but was readable with a special purpose device, developed by Dutch Naval Intelligence (MARID).

NSA had discovered that Turkey wanted to order more Aroflex machines than needed, and use the surplus for its diplomatic traffic. This was not allowed, and had to be prevented at any cost.
Philips Aroflex

The Siemens T-1000/CA was offered as an alternative, but the Turks rejected it, as they probably expected it to be insecure. Siemens was then asked to create a special version of the T-1000/CA for Turkey, but refused to do so. 3 In the end, NSA teamed up with the Dutch intelligence service BVD 4 and Philips, and a special version of Aroflex was made for Turkish diplomatic traffic [21].

To the outside world it looked like a genuine Aroflex, but in reality it was a modified T-1000/CA. Although it was not readable with the special purpose device of the Dutch Navy, the increased computing power that had meanwhile become available, allowed it to be solved by other means. And thus, the Turkish diplomatic traffic remained readable, albeit no longer for the Germans [1].

 More about Aroflex

  1. This target list only includes countries there were using Crypto AG equipment.
  2. CPPM was a One-Time Tape (OTT) cipher machine, or mixer, made by SAGEM in France.
  3. It is understandable that Siemens declined, as the cryptologic had been developed by Philips Usfa in Eindhoven (Netherlands), and Siemens had no control over it. It was therefore impossible to comply.
  4. More precisely: the Netherlands National Communications Security Agency (NLNCSA), nationally known as Nationaal Bureau voor de Verbindingsbeveiliging (NBV). The NBV is a department of the BVD (now: AIVD).

Intelligence production   1990
Despite the worsening financial situation, MINERVA kept producing the bulk of the decrypts on Third World targets. With the end of the Cold War in sight, the USSR would no longer be a target, but the rise of international terrorism kept MINERVA in the lead as an intelligence producer.

In general, Egypt, Morocco, Iraq, Iran, Malaysia, Tunesia and Argentina were the most important intelligence targets, and most of them were readable because of MINERVA. Iran produced by far the best intelligence. In 1988, 19,000 Iranian messages were decrypted, which was 80-90% of their total traffic. Indonesian decrypts provided information about the Philippine situation. When in 1989, the United States invaded Panama, they knew that General Manuel Noriega was hiding out in the Vatican Embassy — all from MINERVA decrypts. It prompted the DDO of NSA to say:

But NSA knew that it would not last forever. By the late 1980s, it was clear that it would become more and more difficult to develop exploitable algorithms that could withstand the scrutiny of the academic world. Foreign nations were becoming increasingly educated in their understanding of crypto­graphic algorithms – largely due to the widespread debate and publicity surrounding Public Key Cryptography (PKC) [22] – and started developing their own crypto gear. As an example: the Iraqi crypto market largely disappeared as Sadam Hussein 1 insisted on domestic production.

  1. Saddam Hussein was president of Iraque from 1979 to 2003.  Wikipedia

The BND exits
The Hans Bühler affair — HYDRA   1992
Wilst the 1980s had been relatively smooth — despite the financial position of Crypto AG — the 1990s were about to bring much turmoil. On 14 March 1992, Crypto AG top sales representative Hans Bühler – then 51 years old – left on a plane to Tehran (Iran) to do business as usual. He had a return ticket and was to fly back six days later, on 20 March 1992. But it was not to be.

Iran had always been one of Crypto AG's most loyal customers, despite the fact that in 1979 the regime had changed, and despite recurring rumours that American intelligence was reading CAG equipment. They had questioned Bühler on several occasions, such as after the La Belle Disco incident 1 in 1986, but there had never been any real trouble with the Iranian authorities before.

When Bühler did not return home on 20 March, the company started making inquiries, and on 31 March they were informed by the Swiss Embassy in Tehran, that Bühler had been arrested with three others 2 on the grounds of spying, bribery, illegal contacts and illegal use of alcohol. There was no mention of the suspicion of rigged CAG equipment whatsoever (nor would there be later).

CIA later figured out, that Bühler had probably been picked as a target, as 'ransom' for an Iranian citizen 3 that had recently been arrrested in Switzerland. When Bühler was first visited by Swiss consular officials on 20 April, he was in bad mental condition. CIA had no idea what Bühler knew about the BND/CIA involvement, and was afraid that he would make incriminating statements.

This situation lasted until 8 September 1992, when his bail was set at US$ 1,000,000 pending further investigations. It allowed him to leave the country, but he would have to return to Iran for his trial later. CAG tried to bargain down the hight of the bail. The company was in no way able to raise that much cash. The BND was prepared to raise the US$ 1,000,000, as long as it would be split 50/50 with the CIA. But CIA officials were hesistant and were afraid that it might be illegal. 4 On 6 October, CIA agreed to pay their 50% share, but the White House rejected it the next day.

In the end, the BND raised the entire sum, and transferred it to Crypto AG, through their covert mechanism, the Bundes­vermögens­verwaltung (BVV). On 5 November, Bühler was officially charged by the Iranians, and on 5 January 1993, he arrived safely at Zürich airport in Switzerland.

Bühler was severely traumatised and felt that CAG had not done enough to enforce his release. Despite a non-disclosure agreement with CAG, he talked to the press and accused Crypto AG of providing backdoors in their equipment to the advantage of German and American intelligence.
Hans Bühler in 2014

At one point he even claimed that CAG wanted him to repay the US$ 1,000,000 bail, but withdrew that statement later. Eventually he was fired by the CAG CEO on 10 March 1993, much against the will of the partners. They felt it would have been better to keep him close. And they turned out to be right. Bühler got in touch with Peter Frutiger – the former head of R&D who had been fired 16 years earlier - who had secretly filed official charges against Crypto AG about rigged equipment.

This led to several investigations by the Bundespolizei (the equivalent of the American FBI), who even questioned the members of the CAG board. The machines were investigated as well, but no evidence was found. In the end the matter was settled with Bühler for CHF 250,000, but that did not keep him from talking to the press again. On 23 March 1994, Bühler appeared on Swiss and Austrian national television, claiming that not Siemens, but the BND was behind the company. And around the same time, investigative journalist Res Strehle published a book about the affair.

The Hans Bühler Affair — cryptonym HYDRA — was by far the most damaging one in the history of the operation. Not only for the MINERVA secret, but also for the relationship between BND and CIA. Bühler had meanwhile been silenced by means of a restraining order, but the damage had been done. And it would be far from over. It made the Germans reconsider their position.

 More about Hans Bühler

  1. La Belle was a discotheque in West Berlin, where on 4 April 1986 a bomb exploded, that had alledgedly been planted by Lybian agents. The bomb killed two and left 79 injured.  Wikipedia
  2. Salimi Nejad (the owner of Hasliran – CAGs distributor in Iran), Nejad's brother-in-law and an unnamed Iranian military officer.
  3. The Swiss had arrested an Iranian man by the name of Zeyal Sarhadi, who had been accused of assasinating Shapour Baktiar – the former Iranian Prime Minister – in France.
  4. As a matter of principle, the American government never pays ransom. However, Congress had never passed a law to prevent it, as a result of which is was simply a policy matter.

Considerations   1993
From the start of the operation there were differences in management and operational style between the partners, which led to frictions on several occasions. Furthermore, Germany had an increasing loyalty conflict with respect to its European partners. The BND wanted to protect them against (industrial) espionage from the US, which the CIA naturally opposed.

There were also financial reasons. In post-war Germany, the annual BND budget was modest. In the early days of the joint venture, the company – Crypto AG – had been highly profitable and the BND had used these profits to finance other operations. For the CIA on the other hand, money had never been an object. By the end of the 1980s it became clear that the successful days were over and that soon the partners would have to inject new capital to keep the company afloat.

In addition, there was the increasing risk of exposure. Dissidents within the company were seeking public recognition for their suspicions, and had been talking to the press on several occasions. But the real turning point was – no doubt – the Hans Bühler affair. It had made the Germans very nervous. And despite the fact that money was no object for the CIA, the German Government had to bail Bühler out in the end. In 1992, the BND considered the following:

  • Cultural and operational differences between CIA and BND
  • Germany's relation to its European partners
  • Increased cost of the operation
  • Increasing risk of exposure
  • The Hans Bühler affair (HYDRA)
The CIA had seen this coming and was aware of the fact that the Germans had limited financial resources and were at risk of being exposed because of the HYDRA affair, which could lead to embarrassment. So in early 1993, they had started working on a plan to buy the Germans out.

On 30 May 1993, the BND president informed the American DCI James Woolsey about the increasing difficulty in supporting the program and that changes to the relationship were unavoidable. On 13 August 1993, the DCI presented a draft proposal to the Germans, the details and wording of which were refined during the latter part of the year. The Germans accepted.

The divorce   1994
On 16 December 1993, the partners signed a memorandum of understanding, in which the details of the 'divorce' were roughly outlined. It was agreed that the Americans would issue an advance payment of US$ 12 million, awaiting final valuation by Deutsche Treuhand Gesellschaft (DTG), and that all contacts between the BND and Crypto AG would be terminated immediately.

All that remained to be done, was tie up some loose ends and transfer the shares. On 20 June 1994, the Crypto AG Board was informed that agreement with the Siemens Beirat – which had meanwhile become a financial burden – would be terminated. Finally, on 30 June 1994, the anonymous barer shares were transferred, after which the CIA was the sole owner of Crypto AG.

The legal construction in 1994
The diagram below shows the situation after the transfer of the barer shares from the BND to the CIA. This was done outside the view of the Liechtenstein law firm Marxer and Goop, but with DTG as the fiduciary. The CIA made a pre-payment of US$ 12 million on 11 December 1993, awaiting a final appraisal by DTG. In February 1994, the shares were valued at US$ 17.1 million and the balance was payed by the CIA on 30 June 1994. After that, the barer shares were handed over.

Ownership of Crypto AG in 1994. Move the mouse over the diagram to reveal the codenames.

This ended the work of DTG, who no longer wanted to be a feduciary after this date. It also ended the partnership between the BND and the CIA, which had lasted for more than 20 years. The CIA found a new fiduciary — codenamed SOCRATES. Although the divorce had been inevitable, many within the BND felt that the German contribution to the project should have continued, and could not understand why the German Government had left the operation entirely to the Americans.

To share or not to share
In the memorandum of understanding of 11 December 1993, in which the terms of the divorce were outlined, it was agreed that the Germans would continue to benefit from the intelligence produced by Operation RUBICON after the termination date. According to CIA, they kept their part of the bargain and continued to share the output of the operation with the German BND.

According to BND sources however, this was not the case. BND officer METAL (cryptonym) states that, once the divorce had come into effect, the Americans started 'improving' some of the CAG algorithms, as a result of which they were no longer readable to the Germans [7]. Had it not been for the Swedish intelligence service FRA, the Germans would have been blind at this stage [7].

Security - Swiss made (promotional gift)

A new beginning
Silver anniversary   1995
In 1995, sortly after the divorce with the BND, the CIA celebrated the 25th anniversary of the operation, 23 of which had been together with the German BND. But in reality, the program of influencing Crypto AG gear, had started back in 1951 with the first Gentleman's Agreement. For the CIA, it was the most productive and longest-running intelligence project since World War II.

MINERVA went through quite a few storms and narrow escapes. The Bühler Affair was by far the most critical one, as it came close to exposing the operation. It also had a demoralising effect on CAG employees. Bühler had contacted virtually everyone in the firm, and now some were looking for another job. And in addition there would be layoffs, following future reorganisations.

By 1995, it was clear that the days of solid revenues were over. The company was struggling to survive, and it would be increasingly difficult to infuse money from the US Government into it, without being exposed. Under American pressure, the Swiss Government had become more and more concerned about money laundering through its banks. And that was exactly the mechanism that CIA used to channel money to Crypto AG.

ATHENA leaves   1995
ATHENA – the company cryptomathematician – had announced in 1990 that he wanted to retire in approximately five years time. And in January 1995 the time had come. He had given the 15 best years of his life to the success of the company and to Western intelligence. But there were also doubts. After the divorce, the CIA had become the single owner, and he was ambivalent.

He recognised the efficient and flexible operating style of the CIA, but wondered what the future policy in relation to readable and unreadable equipment would be, now that a single party was in control. In his view, the shared ownership had always been a way to keep each other 'honest'. And now, he was no longer in the loop. For his services, he received the CIA's Agency Seal Medallion. 1

  1. Today known as the Agency Seal Medal  Wikipedia

The Baltimore Sun   1995
The Hans Bühler Affair was not the last of the damaging revelations. Scott Shane – a journalist of The Baltimore Sun – was writing a series of articles about the NSA, and was probing Crypto AG employees (and former employees) for further information. And he was about to expose one of the longest and most secret US intelligence operations to the American public [3].

Click to see more

On 10 December 1995, the article appeared in The Baltimore Sun, the home newspaper of many NSA employees who lived in Maryland. It was just as damaging as CIA and NSA had feared. It even mentioned Nora Mackebee — a former NSA officer — and linked here to Intercom Associates, the CIA cover company under which NSA and CIA people had operated in relation to the Crypto AG business. She (and others) had visited the company to give 'advise' on cryptographic algorithms.

At NSA headquarters in Fort Meade, it was the talk of the town for many days. It is rumoured that lower NSA staff bought extra copies of the newspaper, to read what they were not supposed to know. Crypto AG's CEO Michael Grupe, issued the usual public denial statements. He attributed the allegations to 'disgruntled employees' and claimed that everything was 'pure invention'.

Der Spiegel   1996
In 1996, the German magazine Der Spiegel followed with a similar story [24]. Following on from the Hans Bühler Affair, journalists from the magazine had spoken with former CAG employee Ernst Polzer, 1 who confirmed that NSA cryptomathematician Nora Mackebee had visited the firm on more than one occassion, and had insisted on the use of certain cryptographic algorithms.

Click to see more

The former colleague also confirmed the relationship with Motorola during the 1970s, and that the algorithms for Crypto AG's speech encryption products, had been provided by the German cipher authority ZfCh. It was clear to him that the machines had been manipulated. Of course they protected users against eavesdropping by a third party, but who was the authorised fourth?

 Read the full article

  1. Pseudonym. It is believed that this was Peter Frutiger who got fired in 1977.

Who knew what?
Who was aware of the MINERVA secret apart from the US and Germany? First of all the UK. GCHQ, the British codebreaking organisation, had a long running partnership with the US that dates back to WWII. They had been briefed by the Americans, and the intelligence production was shared with them, but they did not participate in the project. They were kept informed by NSA/CIA, but this was initially not told to the Germans. It had led to a serious confidence conflict in 1973.

It was assumed that Sweden was witting as well. Although they had never formally been briefed, the ties were strong and it was assumed that Boris Hagelin, and after him CEO Sture Nyberg, and finally ATHENA, kept the Swedish military intelligence service FRA fully informed. Furthermore, Hagelin had insisted that Sweden be allowed to buy secure equipment, and ATHENA had even made it a condition for his cooperation to the program, when he was recruited.

The same can be said about Switzerland. They had never been officially informed, to allow for plausible deniability in case the program was ever exposed. It was assumed however, that they were kept informed by people in the company. Like with Sweden, Hagelin had insisted that Switzerland would have access to secure equipment. And during the Hans Bühler Affair (HYDRA), it had become clear that high ranking Swiss military intelligence officials were fully witting.

The French were certainly also witting. They had been part of the initial attempt to buy Crypto AG with the Germans, so they could guess what was going on. Every decade, they would raise the question to let them in on the secret, but the Germans always sent them home empty-handed.

1980s overview of CIA/BND targets and witting countries. Click for a larger view.

 Larger map

Over time, the codebreaking abilities were shared with other countries, such as Denmark, France, the UK, Israel, the Netherlands and Sweden, but the actual operation — THESAURUS/RUBICON — was not revealed. For many years it allowed Western intelligence agencies to break foreign codes at an unprecedented scale, that was even bigger than Operation Ultra had been during WWII [1].

Although the actual list is probably longer, the documents identify the following targets:

  • America
  • Argentina
  • Brazil
  • Chile
  • Colombia
  • Honduras
  • Mexico
  • Nicaragua
  • Peru
  • Uruguay
  • Venezuela
  • Europe
  • Austria
  • Belgium
  • Czechoslovakia
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Portugal
  • Romania
  • Spain
  • Turkey
  • Vatican City
  • Yugoslavia
  • Africa
  • Algeria
  • Angola
  • Congo
  • Egypt
  • Gabon
  • Ghana
  • Guinea
  • Ivory Coast
  • Libya
  • Maruritius
  • Morocco
  • Nigeria
  • South Africa
  • Sudan
  • Tanzania
  • Tunisia
  • Zaire
  • Zimbabwe
  • Middle East
  • Iran
  • Iraq
  • Jordan
  • Kuwait
  • Lebanon
  • Oman
  • Qatar
  • Saudi Arabia
  • Syria
  • U.A.E.
  • Asia
  • Bangladesh
  • Burma
  • India
  • Indonesia
  • Japan
  • Malaysia
  • Pakistan
  • Phillipines
  • South Korea
  • Thailand
  • Vietnam

  • Organisations
  • United Nations
New technologies   2000
Around the turning of the century, new technologies started emerging, that made it increasingly difficult for Crypto AG to survive, and for CIA/NSA to maintain its dominant intelligence position. In particular the Data Encryption Standard (DES) and later the Advance Encryption Standard (AES) and Public Key Cryptography (PKC) became mainstream in later years. Unlike in the past, when the development of crypto-gear was the domain of industrialised nations, cryptography is now affordable to everyone, including the Third World. And most cryptography is now software-based.

For many years, the (American) intelligence services have tried to keep cryptography away from the main public, in particular by trying to impose export restrictions and key escrow, but they were fighting a losing battle. With the emerging internet, borders have gradually disappeared.

In addition, the communication channels have changed. Advanced frequency hopping, spread spectrum transmissions, digital modulation techniques, mobile telephony, fiber optics, increased communication speeds, the internet, and the like, have made it increasingly difficult to intercept secure traffic. And without intercepts, there is nothing for NSA to decrypt. The trend to move away from hardware-based cryptography, has made Crypto AG a less valuable asset for the CIA.

Crypto International AG logo

Andreas Linde   2018
In January 2018, it was announced that the Swedish entrepreneur Andreas Linde has taken over the product portfolio from Crypto AG for an undisclosed sum. Dan Ove Andreas Linde and his wife Emma Victoria Linde, are now on the board of the newly established Crypto International AG.

In the past, Linde has founded several Swedish companies. Until 2015, he was CEO of Advenica, where he is now a board member. In 2015 he founded Famco — a cyber security service provider for government organisations [13]. In 2000, Linde co-founded 4C Strategies — a risk management solutions and continuity company.

According to the press release of January 2018, Linde has only taken over some of the assets of Crypto AG – including service contracts – but not the company itself. The buildings had already been sold in a separate transaction in 2017 [23].
Andreas Linde, since 2018 the owner of Crypto International AG. Photograph from press release [14].

Note that Crypto International AG is an entirely new company which has no prior involvement with the old Crypto AG whatsoever, other that the fact that it took over Crypto AG's portfolio in early 2018. It seems unlikely that Linde was aware of CIA involvement at the time of the buyout.

Swedish entrepreneur Andreas Linde [13]

The old Crypto AG no longer exists. It was liquidated on 31 October 2019, whilst the remaining assets were transferred by means of a fusion to The Crypto Group AG (TCG) the same day. A separate licencing company – Prime Technology Licencing AG (PTL) – which was the official owner of the CAG patents since 1998, had already transferred its assets to TCG on 17 January 2018 and was liquidated the same day. On 23 December 2019, The Crypto Group AG (TCG) was renamed TCG Legacy AG, and is currently in liquidation. Almost all traces of Crypto AG have been wiped.

CyOne and InfoGuard   2018
Simultaneous with the transition of Crypto AG to Crypto International AG, a new company – Crypto Schweiz AG – has been spun-off as a result of a management buyout. It is managed by three former members of the CAG-board and will be active on the Swiss national cyber security market [23]. Shortly after the management buyout, Crypto Schweiz AG was renamed CyOne.

In a separate press release, it was announced that InfoGuard – which had until that time been a subsidary of Crypto AG – was also spun-off in a management buyout, and will also be active in the field of cyber security [14]. The buyout was led by the same three CAG-board members are for the CyOne buyout. It was anticipated that the two companies will be working closely together.

 About CyOne
 About InfoGuard

Switzerland today
When Operation RUBICON was revealed by the German, Swiss and American press on 11 February 2020, the Swiss Government announced that pending a formal investigation, the export licence of Crypto International AG had been suspended. And in the first week of March, the police raided the offices of Crypto International AG in Steinhausen (Switzerland) to secure evidence, awaiting a formal SECO investigation [27].

 Media coverage

Click to see more

 MINERVA timeline

Other companies
According to BND sources, it was the strategy of western intelligence services to get a grip on any company that wanted to develop and/or sell cryptographic equipment. New startups were visited and were encouraged to work with the intelligence services to produce readable equipment. In return, the company got help with the development of algorithms and obtaining export licences.

Owned —   Crypto AG (and two other companies)
Under control —   Philips, Siemens, Telemit, ANT, Telefunken, TST Timmann, Datotek, Hagenuk, Nixdorf, Olympia, Rohde & Schwarz, Transvertex, Motorola Mils Electronic (see below)
Not under control —   Gretag, RanData
If a company did not want to comply with the unwritten rules, they would not receive such help. On the contrary: there are cases in which smear campaigns were launched to prevent customers from buying equipment from unwilling manufacturers, such as the Swiss Gretag. Below is a non-exhaustive list of companies that are mentioned in unreleased CIA and BND documents [1].

Click to see more

TST Timmann
TeleSecurity Timmann (TST) 1 was a small company in Tützing, right at lake Starnberg – close to München (Germany) – owned by Klaus Peter Timmann. Business went well, and in the mid-1980s, Timmann had bought a large villa that housed his family, his private museum and the company.

Timmann produced small but powerfull encryption devices, and like all companies that appeared on the German crypto market, he was visited by the BND with the request to make the algorithms readable to them. In return, they would help him with export licences, and with the development of cryptographic algorithms. Timmann immediately offered his full cooperation, but as he was somewhat of a wildcardillustrated in this anecdote — the BND also planted a mole inside his company. The mole – in reality a BND engineer – developed the algorithms for several years.

This way, TST was under control of the BND for several years, until the Germans got cold feet and left TST to the Americans. This happened in the early 1990s, and should be seen in the light of the Hans Bühler incident, which caused the Germans to fear exposure. It had prompted them to terminate their partnership with the CIA. Nevertheless, it was uncomprehensible for BND officers, that Americans were now running a crypto company in their country. TST was dissolved in 2009.

 More about TST Timmann

  1. Not to be confused with Telefunken System Technik, which is also abbreviated TST.

Click to see more

Mils Electronic
From the late 1970s, the Austrian company Mils Electronic (also written Mils Elektronik) was also under control of western intelligence. The company had its roots in Trier (Germany) and was founded shortly after WWII by German electronics engineer Willi Reichert, who made a fortune by selling refurbished Siemens Geheimschreibers to western governments. In 1955, Reichert moved his company to neutral Austria, in an attempt to evade the restrictive German export rules.

In the late 1970s, in an act of frustration, Reichert sold his company to Belgian entrepreneur Paul Huskell in a transaction that is very similar to Hagelin's sale of Crypto AG to the BND/CIA in 1970, using a Liechtenstein law firm and a complex of Anstalts to hide the actual ownership from public view. It is known from the leaked CIA and BND documents, that Mils Electronic was under control of western intelligence at the time, first of the BND and later (after BND had left RUBICON) of the CIA, although it is unclear what the extent of this control was and how long it lasted. It seems likely that this only affected the Mils equipment that was not based on One-Time Pad (OTP) or One-Time Tape (OTT) systems, as such systems are inherently secure when used correctly.

Between mid-2017 and mid-2018 – around the same time as Crypto AG changed hands – most of the staff was layed-off and sales activities were unexpectedly terminated with immediate effect. The website has since become defunct and Mils practically seems to have been dissolved.

 More about Mils Electronic

Click to see more

Gretag was clearly an exception to the rule. Since the 1950s, NSA and CIA had been trying to get control over the company, but to no avail. Edgar Gretener, the founder of the company, exploded at the slightest provication and did not want to comply. After Gretener's death in 1958, the firm was taken over by the Swiss Ciba-Geigy concern, and successfully made the transition from to electromechanical to electronic cipher machines. For Ciba-Geigy, Gretag was a pofitable branch.

The problem for the western intelligence agencies was that Gretag's machines were highly secure and were not readable to them. In practice, Gretag was seen by the BND as one of the greatest dangers to the operation. In 2011, BND officer HEINE wrote about Gretag (tanslated) [8]:

The biggest danger came from the Swiss firm Gretag in Regensdorf (Switzerland). The company was founded in 1943 by Dr. Edgar Gretener. They introduced the Gretacoder and initially produced mechanical cipher machines, succeeded by fully electronic on-line versions, that had a good track record. [...]

At the time, Gretag was the only serious competitor. They developed and produced all kinds of high-grade cipher equipment. Their market was, besides the Swiss Army, the same countries and governments that Crypto AG was interested in. [...]

Libya had bought Gretag equipment, and other countries were threatening to do the same. All skills were used to make the customers stay with Crypto AG, including price consessions. In addition there were tailored smear campaigns, which means that Gretag equipment was delibrately dragged through the mud.
From the 1970s, both the NSA and CIA repeatedly tried to purchase the company. The owner – Ciba-Geigy – was approached about a possible sale, but did not want to give up the profitable business. In the early 1990s, when profits started declining and Ciba-Geigy became increasingly uncomfortable with the secret nature of the Gretag business, they finally decided to sell it off.

In 1991, after being pushed by the CIA, the American telecom giant AT&T took over Gretag and renamed it Gretag Data Systems. It was the intention of the Americans to get control over the encryptors that were used for the international SWIFT inter-bank communications system. But, unknown to AT&T, Gretag had managed to sell that part of their business to the newly created Swiss firm Omnisec, just before the transaction took place. In 1995, the Gretag business was taken over from AT&T by IRE — a new company that was founded by two former NSA employees. In 2002, IRE became SafeNet. In 2004, the Gretag assets were liquidated due to lack of revenue.

 More about Gretag

Click to see more

Another player over which the intelligence services did not have control, was the Australian firm RanData, founded in 1984 by an Italian entrepreneur – Amadeo Monte Sala – who had worked for NASA during the 1960s Gemini space program. In 1987, Crypto AG CEO Heinz Wagner was about to enter into a joint venture with the company, when CIA discovered that RanData was not under control of the Defense Signals Directorate (DSD); the Australian cryptologic organisation. In other words: RanData equipment was unreadable. Wagner was ordered by the CIA to cancel the deal.

 More about RanData

MINERVA timeline
The timeline below provides a graphical presentation, in chronological order, of the events that are related to the Gentleman's Agreement (1951-1960), The CIA Licencing Agreement (1960-1970), and the MINERVA purchase (1970-2018) — also known as THESAURUS or RUBICON.

Media coverage
  1. Peter F. Müller and Ulrich Stoll, Operation Rubikon, Wie BND und CIA die Welt belauschten
    ZDF Television (Germany), Frontal-21. 11 February 2020.

  2. Greg Miller, The Intelligence Coup of the Century
    The Washington Post (USA). 11 February 2020.

  3. SWI, Investigation opened into Swiss encryption firm liked to CIA (Switzerland). 11 February 2020. Interview with Greg Miller of The Washington Post.

  4. SRF, News broadcast
    10vor10 Television (Switzerland). 11 February 2020

  5. Huub Jaspers, De cryptoleaks van CIA en BND: 'Dit was de inlichtingen-coup van de eeuw'
    VPRO, Argos website (Netherlands). 11 February 2020.

  6. Rundschau, Weltweite Spionage-Operation mit Schweizer Firma aufgedeckt
    SRF Television (Switzerland). 12 February 2020.
     Original Swiss broadcast without subtitles

  7. NOS, Inlichtingencoup van de eeuw
    Nieuwsuur television (Netherlands). 13 February 2020.

  8. Domink Landwehr, Interview with Res Strehle (author of 'Der Fall Hans Bühler')
    Entretiens - Interviews (Switzerland). 13 February 2020.

  9. VPRO Radio, Cryptoleaks. 'De Inlichtingencoup van de eeuw'
    VPRO, Argos podcast (Netherlands), 15 February 2020.

  10. Greg Miller and Peter F. Müller, Compromised encryption machines gave CIA window
    into major human rights abuses in South America

    The Washington Post (USA). 17 February 2020.

  11. Rundschau, Geheimdienst-Skandal
    SRF Television (Switzerland). 19 February 2020.

  12. Huib Modderkolk, The Netherlands used superchip to eavesdrop on other countries
    De Volkskrant newspaper (Netherlands), 20 February 2020.

  13. Rundschau, Geheimdienst-Affäre: Die Wut der Argentinier
    SRF Televsion (Switzerland). 26 February 2020.

  14. ZDFinfo, Operation Rubikon
    ZDF Television (Germany). 18 March 2020.
  1. CIA Historian, MINERVA, a History
    Internal CIA publication TOP SECRET, 2004. 1,2

  2. Crypto Museum, The Gentleman's Agreement
    The Friedman Papers, 30 July 2015.

  3. Scott Shane & Tom Bowman, Spy sting: Few at the Swiss factory knew...
    Baltimore Sun, 10 December 1995.

  4. Scott Shane & Tom Bowman, NSA's ... Rigged encryption machines
    Baltimore Sun, 10 December 1995.

  5. Internal BND document ref. 303395/2
    BND, October 2012.

  6. Internal BND document ref. 303395/3
    BND, 18 February 2011.

  7. Internal BND document ref. 303395/4
    BND, 13-14 August 2009.

  8. Internal BND document ref. 303395/5
    BND, June 2011.

  9. Internal ZfCh document ref. 303395/6
    ZfCh, November 2012.

  10. Internal BND document ref. 303395/7
    BND, 29 September 2008.

  11. Internal BND document ref. 303395/8
    BND, 11 December 2009.

  12. Internal BND document ref. 303395/9
    Date unknown.

  13. Crypto AG, Background information
    Press release, 24 January 2018.

  14. Crypto AG, Andreas Linde's vision for Crypto
    "Our independence differentiates us from other providers"
    14 February 2019.

  15. InfoGuard, Management Buy Out by InfoGuard
    Press release, 25 January 2018.

  16. Hans Stadlin, 100 Jahre Boris Hagelin 1982-1992 (German)
    Crypto AG. Crypto Hauszeitung Nr. 11. Jubilieumausgabe September 1992.

  17. Wikipedia, Shift register
     Linear-feedback shift register
     Nonlinear-feedback shift register
    Retrieved December 2019.

  18. Wikipedia, Falklands War
    Retrieved January 2020.

  19. NSA, William F. Friedman Collection of Official Papers
    Retrieved July 2015. 1

  20. National Cryptologic Museum (NCM), Picture of Friedman and Hagelin families
    Retrieved July 2019.

  21. Cees Jansen, Former cryptographer at Philips Usfa
    Interview at Crypto Museum, November 2019.

  22. Wikipedia, Public-key cryptography
    Retrieved January 2020.

  23. Crypto AG, Crypto AG is gearing up for future growth
    24 January 2018.

  24. Der Spiegel, Wer ist der befugte Vierte?
    Der Spiegel, 36/1996. pp. 206-207.

  25. Peter Hossli & Daniel Meier, Der Informant, der aus der Deckung kommt
    NZZ am Sonntag, 16 February 2020.

  26. Paul Reuvers & Marc Simons, Interview with Oskar Stürzinger
    Basel (Switzerland), 7 November 2008.

  27. Urs Paul Engeler, Razzia bei der Crypto AG
    Handelszeitung (Switzerland). 18 March 2020.
  1. Unreleased and undated draft copy.
  2. This document contains (real) names of people, and will therefore not be released publicly.
  3. This document was written by a former BND/ZfCh officer, of which we have chosen not to reveal the identy. Instead, we have identified the person by his/her CIA cryptonym.

Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Thursday 12 December 2019. Last changed: Tuesday, 16 June 2020 - 08:12 CET.
Click for homepage