Security researchers have uncovered two separate spying campaigns that exploit known weaknesses in the global telecommunications infrastructure to track people’s locations. Researchers say these two campaigns are likely a small snapshot of what they believe is widespread exploitation by surveillance vendors seeking access to global phone networks.
On Thursday, Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing the two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate mobile carriers and would block access to those networks to look for their targets’ location data.
The new findings reveal ongoing exploitation of known flaws in the technologies that underpin global telephone networks.
One of them is the insecurity of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that for years has been the backbone of how cellular networks interconnect and route subscribers’ calls and text messages around the world. Researchers and experts have long warned that governments and makers of surveillance technology can exploit vulnerabilities in SS7 to geo-locate people’s cellphones, as SS7 requires neither authentication nor encryption, leaving the door open for unscrupulous operators to abuse it.
The newer protocol, Diameter, designed for newer 4G and 5G communications, is supposed to replace SS7 and includes the security features its predecessor lacked. But as Citizen Lab points out in this report, there are still ways to exploit Diameter, as carriers don’t always implement the new protections. In some cases, attackers can still exploit the older SS7 protocol.
The two espionage campaigns have at least one thing in common: Both abused access to three specific telecommunications providers that repeatedly acted “as surveillance entry and transit points within the telecommunications ecosystem.” This access gave the surveillance vendors and their government clients behind the campaigns the ability to “hide behind their infrastructure,” as the researchers explained.
According to the report, the first is the Israeli company 019Mobile, which the researchers say was used in many surveillance attempts. British provider Tango Networks UK was also used for surveillance activity over several years, investigators say.
Techcrunch event
San Francisco, California
|
13-15 October 2026
The third mobile operator is Airtel Jersey, an operator on the Channel Island of Jersey now owned by Sure, a company whose networks have linked to previous tracking campaigns.
Certainly CEO Alistair Beak told TechCrunch that the company “does not directly or knowingly lease access to signals to organizations for the purposes of locating or tracking individuals or intercepting communications content.”
“Sure recognizes that digital services can be misused, which is why we take a number of measures to mitigate this risk. Sure has implemented many safeguards to prevent the misuse of signaling services, including monitoring and blocking inappropriate signaling,” Beak’s statement said. “Any evidence or valid complaint related to misuse of Sure’s network results in immediate suspension of service and, where malicious or inappropriate activity is confirmed after investigation, permanent termination.”
Tango Networks and 019Mobile did not respond to TechCrunch’s request for comment.
Gil Nagar, Head of IT and Security and 019Mobile, sent a letter at Citizen Lab. Nagar said the company “cannot confirm” that the alleged 019Mobile infrastructure, identified by Citizen Lab as being used by surveillance vendors, belongs to the company.
Investigators say “high-profile” people are being targeted.
According to Citizen Lab, the first surveillance vendor facilitated spying campaigns spanning several years against different targets around the world and using the infrastructure of several different mobile carriers. This led investigators to conclude that different government clients of the surveillance vendor were behind the various campaigns.
“The evidence points to a purposeful and well-funded operation with deep integration into the mobile signaling ecosystem,” the researchers wrote.
Gary Miller, one of the researchers investigating these attacks, told TechCrunch that some indications point to an “Israel-based commercial geoinformation provider with specialized telecommunications capabilities,” but did not name the tracking provider. Several Israeli companies are known to offer similar services, including Circles (later acquired by spyware maker NSO Group), Cognyte and Rayzone.
Contact us
Do you have more information about surveillance vendors that exploit mobile networks? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
According to Citizen Lab, the first campaign was based on trying to exploit flaws in SS7 and then switching to exploiting Diameter if those efforts failed.
The second spying campaign used different methods. In this case, the other surveillance vendor behind it — which Citizen Lab isn’t naming either — relied on sending a special type of SMS message to a specific “high-profile” target, the researchers explained.
These are text messages designed to communicate directly with the target’s SIM card without showing any trace of them to the user. Under normal circumstances, these messages are used by mobile operators to send harmless commands to their subscribers’ SIM cards used to keep a device connected to their network. However, the surveillance vendor sent commands that effectively turned the target’s phone into a location tracking device, according to the researchers. This type of attack was called SIMjacker by the mobile operator Enea in 2019.
“I’ve observed thousands of these attacks over the years, so I’d say it’s a pretty common feat that’s hard to detect,” Miller said. “However, these attacks appear to be geographically targeted, indicating that operators using SIMjacker-style attacks likely know the countries and networks most vulnerable to them.”
Miller made it clear that these two campaigns are only the tip of the iceberg. “We focused on just two tracking campaigns in a universe of millions of attacks around the world,” he said.
Updated to include 019Mobile’s responses sent to Citizen Lab.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
