CIA Codewords and Abbreviations

(Updated: December 1, 2023)

Below are listings of codewords, cryptonyms and abbreviations used by the Central Intelligence Agency (CIA), especially related to its involvement in the collection of signals intelligence and its cyber operations. Older CIA codewords can be found on Wikipedia and on this list.

Similar lists are available on this website for
NSA, GCHQ and BND. See also the lists of abbreviations of SIGINT and COMSEC, and general telephony and internet terms.

Please keep in mind that a listing like this will always be work in progress!


Codewords related to Crypto AG

(Between 1970 and 2018, the CIA secretly owned the Swiss manufacturer of encryption equipment Crypto AG, until 1994 in a 50/50 partnership with German BND)

ALTER - Cryptonym for the chief of Research & Development at Crypto AG (1981) *
ATHENA - Cryptonym for Kjell-Ove "Henry" Widman, the principal crypto-mathematician of Crypto AG (1980-1995) *
AURORA - Cryptonym for InfoGuard, a Swiss company that became a joint venture between Crypto AG and Ascom in 1989 *

BALL - Cryptonym for Sture Nyberg, CEO of Crypto AG (1970-1975) *
BLOCK - Cryptonym for Heinz Wagner, CEO of Crypto AG (1976-1989) *
BUTCHER - Cryptonym for Gerrit Brussaard, who in 1978 was briefly head of R&D of Crypto AG *

CLAPPER - Cryptonym for Kirk Kirchhofer, in 1978 head of R&D, later sales manager at Crypto AG *

EOS - Cryptonym for the CIA in relation to Crypto AG *

FIDELIO - Cryptonym for Deutsche Treuhand Gesellschaft (DTG), the accounting firm involved in the purchase of Crypto AG *

GAMMA - Cryptonym for the German intelligence service BND in relation to Crypto AG *
GOLF - Cryptonym for AEH, the holding company that owned Crypto AG *

HOCKEY - Cryptonym for the NSA in relation to the Crypto AG operation *
HYDRA - Cryptonym for Hans Buehler, a salesman for Crypto AG *

METAL - Cryptonym for a BND officer involved in the Crypto AG operation *
MINERVA - Cryptonym for the Swiss manufacturer of encryption devices Crypto AG, which was purchased by CIA and BND in 1970 under operation THESAURUS *

NAVAHO - Cryptonym for Motorola in relation to Crypto AG *

OLYMPIA - Cryptonym for the German company Siemens in relation to Crypto AG *

QUINCE - Cryptonym for Switzerland in relation to Crypto AG *

REX - Cryptonym for Sigmar Horst-Joachim "Mickie" Grützmann, chief of Research & Development of Crypto AG (1978-1980) *
RUBICON - Code name for the joint CIA-BND project to secretly run the Swiss manufacturer of encryption devices Crypto AG (cryptonym: MINERVA). Before 1987 codenamed THESAURUS.*

SIEGFRIED - Cryptonym for Oscar Stuerzinger, technical director of Crypto AG *
SIGMA - Cryptonym for the German cryptologic service ZfCh in relation to Crypto AG *
SOCRATES - Cryptonym for a CIA fiduciary involved in the Crypto AG operation *
SPARTAN - Secret licensing agreement between the CIA and Boris Hagelin, owner of Crypto AG (1960-1970) *

THESAURUS - Code name for the joint CIA-BND project to buy (in 1970) and secretly run the Swiss manufacturer of encryption devices Crypto AG (cryptonym: MINERVA). In 1987 renamed into RUBICON.*
THRAN - Cryptonym for Transvertex *
TIGER - Cryptonym for Gretag, a Swiss competitor of Crypto AG *


Vault 7 and Vault 8 codewords

(From March to September 2017 Wikileaks published user guides and other documents (Vault 7) and in November 2017 also the source code (Vault 8) of CIA hacking tools)

Achilles - Capability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution; part of the Imperial project.
Aeris - Automated implant written in C that supports a number of POSIX-based systems; part of the Imperial project.
AfterMidnight - Framework that allows dynamically loading and executing malware payloads on a target computer.
Angelfire - Persistent framework that loads and executes custom implants on target computers running Windows XP or Win7; comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.
Archimedes - Tool used to attack a computer inside a Local Area Network (LAN).
Assassin - Automated implant that provides a simple collection platform on remote Windows computers.
Athena - Provides remote beacon and loader capabilities on target computers using Window XP to Windows 10.

BothanSpy - Implant that targets the SSH client program Xshell and steals user credentials for all active SSH sessions.
Broken Promise - Postprocessor to evaluate colelcted information; part of Brutal Kangaroo
Brutal Kangaroo - tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives; developed by the CIA's Operational Support Branch (OSB)*<

CherryBlossom - Tool for monitoring the internet activity of and performing software exploits on targets of interest.
CherryTree - Command and Control server for contacting the FlyTrap beacon
CherryWeb - Browser=based user interface to monitor the status of FlyTrap devices
CouchPotato - Remote tool for collection against RTSP/H.264 video streams.

Dark Mallet - Infector for the Triton MacOSX malware
Dark Matter - Projects that infect Apple Mac firmware, persisting evenwhen the operating system is re-installed.
DarkSeaSkies - An implant that persists in the EFI firmware of an Appple MacBook Air computer.
DerStarke - EFI persistent version of the Triton MacOSX (or Dark Mallet) malware.
Drifting Deadline - Thumbdrive infection tool; part of Brutal Kangaroo
Dumbo - Capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a physical access operation.

ELSA - Geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system
ExpressLane - Covert information collection tool used by the CIA to secretly exfiltrate data collections from systems provided to liaison services.

FlyTrap - A wireless device compromized by CherryBlossom

Grasshopper - Platform used to build customized malware payloads for Microsoft Windows systems.
Gyrfalcon - Implant that targets the OpenSSH client on Linux platforms to steal user credentials of active SSH sessions and collect full or partial OpenSSH session traffic

HighRise - Redirector function for SMS messaging that could be used by IOC tools that use SMS messages for communication between implants and listening posts
Hive - Back-end infrastructure malware used by CIA implants to transfer exfiltrated information from target computers to the CIA.

Imperial - Hacking project consisting of the Achilles, Aeris and Seapea components

Marble Framework - Used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

NightSkies - A beacon/loader/implant tool for the Apple iPhone.

OutlawCountry - Malware that allows for the redirection of all outbound network traffic on a target computer

Pandemic - A persistant implant for Microsoft Windows machines that share files or program with remote users in a local network.
Protego - PIC-based missile control system developed by Raytheon

Scribbles - A document-watermarking preprocessing system to embed "web beacon"-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others.
SeaPea - OS X Rootkit that provides stealth and tool launching capabilities; part of the Imperial project
Shadow - Primary persistence mechanism for Brutal Kangaroo.
Shattered Assurance - Server tool that handles automated infection of thumbdrives; part of Brutal Kangaroo.
Sonic Screwdriver - A mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting.

Triton - MacOSX malware

Weeping Angel - An implant designed for Samsung F series smart televisions.


Some other CIA codewords

AERODYNAMIC - Joint OPC-MI6 project to drop agents by parachute in the Ukraine (1949)*
AEROOT - OPC project to drop agents in Poland and the Baltic states using hot air balloons (ca. 1950)*
ANGERQUAKE - Malware developed by the CIA's Operational Support Branch (OSB)*
APPLESAUCE - CIA station on Cyprus (1950s)
AQUATONE - Cryptonym for the development of the Lockheed U-2 spy plane
ARDBERG - Hacking tool developed by the CIA's Operational Support Branch (OSB)*

BGFIEND - Joint CIA-MI6 operation in Albania (1949-1954)*
BLUECITY/1, 2, 3 - Codenames for Dutch cities during operation Tom (1953-1959)*
BLUELAND - Codename for the Netherlands during operation Tom (1953-1959)*
BLUEMAN/1 to 4 - Codenames for BVD officials during operation Tom (1953-1959)*
BLUETEAM - Codename for the Dutch BVD during operation Tom (1953-1959)*

CHAOS - CIA domestic spying operation (1967-1973)
CONDOR - Operation in which the secret services of Argentina, Chile, Uruguay, Paraguay, Bolivia and Brazil, backed by the CIA, cooperated to suppress left-wing opposition movements and assassinate their leaders (1968–1989)
CONQUERER - NSA ECI compartment for joint NSA-CIA clandestine radio frequency operations (since 2003) *
CRISSCROSS - Database of telecommunications selectors, operated by the CIA and also used by DOJ, DOD and NSA

DEWBAR - Stay Behind network in Italy (since 1948?)*

EARWORT - New funding for the research center of the CIA's Technical Services Staff (1950's)*
EASYCHAIR (EC) - CIA research project for developing resonant cavity covert listening devices (1954-1967)
EXWOOD - Stay Behind network in Turkey (since 1948?)*

GLADIO - Stay Behind network in Italy (since 1948?)*
GLOTAIC - Joint BND-CIA operation to acquire foreign telephone communications from the German subsidiary of MCI (2005) *
GOLD - Joint SIS-CIA operation to wiretap Soviet army landlines through a tunnel under Berlin (1953-1956; British codename: STOPWATCH)
Gray Magic - Secure e-mail system to communicate with private contractors *
GREYSTONE (GST) - CIA's highly secret rendition and interrogation programs (since 2001) *
GREENLAND - Codename for the United States during operation Tom (1953-1959)*
GREENMAN/1 to 9 - Codenames for CIA officials during operation Tom (1953-1959)*
GREENTEAM - Codename for the CIA during operation Tom (1953-1959)*
GRGROOND - Stay Behind network in Austria (since 1948?)*

HERCULES - CIA terrorism database
HTREPAIR - Stay Behind network in Austria (since 1948?)*
HYDRA - Program to secretly access databases maintained by foreign countries and extract data to add to US watchlists *

IVY BELLS - NSA, CIA and US Navy operation to place wire taps on Soviet underwater communication cables (1970s-1980s)

JUNGLE - Joint OPC-MI6 operation to drop agents by boat in the Baltic countries (1945-1955)*

KIBITZ - Stay Behind network in Germany (since ca. 1950)*
KLAMATH (KLM) - Classification control system which in 2003 included the NSA ECI compartments CONQUERER, LYSERGIC and WASHBURN *

LAPHROAIG - Hacking tool developed by the CIA's Operational Support Branch (OSB)*
LCFLAKE - Secret CIA airfield near Athens, Greence (1950s)*

MCNUGGET - Hacking tool developed by the CIA's Operational Support Branch (OSB)*

NERVUE - Stay Behind network in Denmark (since 1948?)*
NICLIPPER - Stay Behind network in Belgium (since 1948?)*

OKRIDGE - Stay Behind network in Luxemburg (since 1948?)*
OXCART - Code word for the development of the Lockheed A-12 reconnaissance aircraft and for the plane itself (since 1958)

PASTIME - Stay Behind network in West-Berlin (since ca. 1950) *
PIED PIPER - Satellite development program by the US Air Force, including KEYHOLE-II (since 1955) *
PIED PIPER - Project by the Dutch Nederlands Radar Proefstation (NRP) (1970s) *
PIED PIPER - CIA program for implants in humans to be monitored by psychologists (since 1986) *
PISCES - Joint NSA, CIA and State Department program collecting biometric data on border crossings from a wide range of countries *
PROTON - Storage and analysis system for the CRISSCROSS database of (telephony?) metadata of (counterintelligence) targets; operated by CIA and used by DOJ, DOD and NSA *
PSALM - Defunct Top Secret control system for intelligence related to the Cuban missile crisis (October 1962) *

QKBROIL - OPC operation to destabalize the Rumanian government (1951-1954), in 1954 renamed into operation SHELLFIRE *
QUANTUM LEAP - CIA tool to "find non-obvious linkages, new connections, and new information" from within a dataset *

RACKETEER - Operation to analyse the behaviour of East German spy handlers using the Personality Assessment System designed by the CIA’s former star psychologist John Gittinger (since 1987)*
RAINFALL - The joint CIA/NSA/DSD satellite ground station Pine Gap, Australia (F78) *
RAMPART-T (RAM-T) - Program providing access to land-based cables, in cooperation with the NSA, to collect communications from state leaders and their entourage (since 1991)*
REDCAP - Program to recrute Soviet civil servants who were working or traveling outside the Soviet Union, 1940s-1950s *
REDCITY - Codename for Oslo during operation Tom (1953-1959)*
REDLAND - Codename for Norway during operation Tom (1953-1959)*
REDMAN/1 to 4 - Codenames for NIS officials during operation Tom (1953-1959)*
REDSHOP - Codename for the Norwegian nuclear testing facility in Kjeller during operation Tom (1953-1959)*
REDSKIN - Program to infiltrate legal agents (tourists, businessmen, journalists, etc.) in the Soviet Union, 1940s-1950s *
REDSOX - Program to infiltrate illegal agents behind the Iron Curtain, by land, by sea or by air, 1949-1957 *
REDTEAM - Codename for the Norwegian intelligence service (NIS) during operation Tom (1953-1959)*
ROCKING CHAIR (RC) - Dutch research program on behalf of the CIA for developing a telephone line bug (1960s) *

SARGASSO - Stay Behind network in Norway (since 1948?)*
SHADED - OPC operation to infiltrate in Rumania with help of the Jugoslavic government (1954)*
SHELLAC - CIA operation to drop propaganda leaflets above Rumania (1952)*
SHELLFIRE - OPC operation to destabalize the Rumanian government, before 1954 known as operation QKBROIL *
SHENANIGANS - Aircraft-based NSA geolocation system used by CIA (ca. 2013) *
SYRUP-SYNTHOSIS - Stay Behind network in the Netherlands, called Operatiën & Inlichtingen (since 1945)*

THUNDERBIRD - Stay Behind network in Greece (since 1948?)*
THUNDERDINE - Stay Behind network in Greece (since 1948?)*
TINHORN - Stay Behind network in Sweden (since 1948?)*
TOM - Joint BVD-CIA-MI6-NIS operation for running a Dutch double agent at the Norweging nuclear testing facility in Kjeller, Norway (1953-1959)*
TRIGON - Codename for Soviet diplomat and CIA agent Alexander Ogorodnik *

ULTIMATE - CIA operation sending weather balloons into Eastern Europe in order to map Soviet defense radar activity (1950s) *
UMBRAGE - Unit of the Remote Development Branch (RDB) that stockpiled hacking techniques from other hackers (before 2017)

VALUABLE - Joint CIA-MI6 operation in Albania (1949-1954)*
VICTORYDANCE - Joint NSA-CIA operation to map WiFi fingerprints of nearly every major town in Yemen (ca. 2013) *

WASHBURN - NSA ECI compartment for an NSA-CIA CLANSIG effort to exploit a source in a Middle Eastern location (since 2003) *
WHITEMAN/1 - Codename for an MI6 official during operation Tom (1953-1959)*
WHITETEAM - Codename for MI6 during operation Tom (1953-1959)*
WILD TURKEY - Hacking tool developed by the CIA's Operational Support Branch (OSB)*



AED - Applied Engineering Division (part of the EDG)
AIB - Automated Implants Branch (part of the AED)

BOB - Berlin Operations Base (in West-Berlin, Germany, 1940s-1950s)
BTTP - Basic Telecommunications Training Program

CAG - Crypto AG (Swiss crypto manufacturer purchased by CIA and BND in 1970)
CCI - Center for Cyber Intelligence (CIA hacking division, part of the DDI)
CIB - ? (part of the NOD)
CICM - Counterintelligence Mission Center
CIG - Central Intelligence Group (1946-1947, predecessor of the CIA)
CINEMA - CIA Information NEeds MAnagement (database)
CLANSIG - Clandestine Signals (joint NSA/CIA interception program) *
CMO - Collection Management Officers
CNB - Closed Network Branch (part of the ESD)
CO - Case Officer
CoB - Chief of Base
COG - Computer Operations Group (part of the CCI)
CoS - Chief of Station
CRD - ? (sub-compartment of HCS-P)
CREST - CIA Records Search Tool
CRT - Computer Research Team (part of the NOD)
CRU - ? (classification control system which includes GREYSTONE)
CSOB - Combined Soviet Operations Base (at the McGraw Kaserne in München, Germany, 1940s-1950s)
CTC - CIA CounterTerrorism Center
CTC/SO - CTC Special Operations

DA - Directorate of Analysis
DCI - Director of Central Intelligence (1946-2005)
D/CIA - Director of the Central Intelligence Agency (since 2005)
DDI - Directorate of Digital Innovation (CIA cyber division)
DDO - Deputy Director for Operations
DDP - Deputy Director for Plans
DevLAN - Developers Local Area Network (internal computer system from which the Vault7 hacking tools were stolen)
DI - Directorate of Intelligence
DO - Directorate of Operations (Clandestine Service)
DP - Directorate of Plans (merger of OPC and OSO in 1952, in 1973 renamed into Directorate of Operations)
DS - Directorate of Support
DS&T - Directorate of Science & Technology

ECI - Exceptionally Controlled Information
EDB - Embedded Devices Branch (part of the AED)
EDG - Engineering Development Group (part of the CCI)
ESD - ? (part of the EDG)
ETB - ? (part of the ETB)

FINO - ? (part of the CCI)
FIO - ? (part of the CCI)
FOB - Frankfurt Operations Base (Germany, 1950-70s)
FSG - Field Service Group

GB - ? (part of the OED)

HCS - HUMINT Control System
HCS-O - HUMINT Control System-Operations
HCS-P - HUMINT Control System-Product
HUMINT - Human Intelligence

IB - Infrastructure Branch (part of the SED)
ICE - ? (part of the COG)
IOC - Information Operations Center
IVV - Independent Verification & Validation (part of the SED)

JIS - Joint Issues Staff (CIA liaison offices in foreign countries)

KLM - KLAMATH (see codewords listing)

MDB - Mobile Development Branch (part of the AED)
MOB - München Operations Base (at the McGraw Kaserne in München, Germany, 1940s-1950s)
MRB - Mission Requirements Branch (part of the OED)

NCS - National Clandestine Service (2005-2015)
NDB - Network Devices Branch (part of the SED)
NEA - ? (part of the COG)
NEB - ? (part of the NOD)
NHB - New Headquarters Building (opened in 1991)
NOC - Non-Official Cover (for CIA operatives)
NOD - Network Operations Division (part of COG)
NRT - Network Research Team (part of the NOD)

OED - ? (part of the OTR)
OHB - Old Headquarters Building (opened in 1961)
OO - Operations Officers
OPC - Office of Policy Coordination (division for clandestine operations, 1948-1952)
OS - Office of Security
OSB - Operational Support Branch (part of the AED)
OSD - ? (part of the COG)
OSE - Open Source Enterprise (part of the DDI)
OSO - Office of Special Operations (division for clandestine intelligence collection, 1946-1952)
OSS - Office of Strategic Services (1942-1945)
OTR - Office of Technical Readiness (part of the DST)
OTS - Office of Technical Services (succeeded Technical Services Staff in 1960)

P6 - Project 6 (joint BND, BfV and CIA anti-terrorism unit, stationed in Neuss, Germany; 2005-2010)*
PAG - Physical Access Group (part of the CCI)
PAG - Political Action Group (part of SAC)
PX - ? (database supporting the joint BND, BfV and CIA anti-terrorism unit Project 6)*

RDB - Remote Development Branch (part of the AED)

SAC- Special Activities Center (since 2016)
SAD- Special Activities Division (prior to 2016)
SB - Stay Behind (networks in Western Europe)
SCS - Special Collection Service (joint NSA-CIA unit)
SDB - Software Development Branch (part of the ESD)
SED - ? (part of the EDG)
SIB - Special Investigations Branch (part of OS)
SOG - Special Operations Group (part of SAC)
SOO - Staff Operations Officers
SPO - Special Police Officer
SRD - Special Requirements Division
SSO - Specialized Skills Officers

TAC - Technical Advisory Council (part of the EDG)
TISO - Technical Information Security Officer
TOB - ? (part of the NEA)
TOE - ? (part of the ICE)
TSS - Technical Services Staff (1951-1960, succeeded by the Office of Technical Services)

UCL - UMBRAGE Component Library

WGB - Wireless Geolocation Branch (part of the ESD)
WTC - Warrington Training Center

X-2 - Counter Espionage Branch (1943-1945)


Organizational chart

Wikileaks has a partial organizational chart of the CIA, which provides a rough outline of its internal organization. It's a reconstruction and can also be subject to changes due to internal reorganizations. A chart of the National Clandestine Service (now Directorate of Operations) can be found here.

Links and Sources
- Internal report of the CIA's Wikileaks Task Force
- About How Codes Names Are Assigned
- Wikipedia article about the CIA cryptonym
- Article about Security Clearances and Classifications
- Cees Wiebes, Samen met de CIA. Operaties achter het IJzeren Gordijn, uitg. Boom, Amsterdam 2016
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.


PLVS VLTRA said...

you're missing 30 clearances and the CIA Spartan Agency.

PLVS VLTRA said...

The Spartan Agency is the same as the Ahnenerbe

dxv515 said...

update all your links.....

Anonymous said...

I want to learn more

Anonymous said...

The Sun is shining- but the ice is slippery

Anonymous said...

correction: Clapper should be "Kirk" not Kurt
-thanks for the work

P/K said...

Thanks, I corrected it!

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties