A new report by Gary Miller and Swantje Lange of The Citizen Lab, an interdisciplinary privacy research team at the University of Toronto, has exposed three mobile telcos that “function as gateways that allow traffic to move through trusted signaling interconnections while granting access to threat actors that hide behind their infrastructure”. Those telcos are:
- 019Mobile, a privately-owned Israeli mobile virtual network operator (MVNO) that brands itself as Telzar 019. The MVNO runs its own core network systems while renting access to the radio network belonging to Partner Communications.
- Sure’s operations in Jersey, one of the Channel Islands that has the same +44 country code as the UK but which has an independent government. Sure is part of the Beyon Group that is part-owned and effectively controlled by the state of Bahrain.
- Tango Networks UK, a British MVNO that runs its own core and which is a subsidiary of Texas-headquartered Tango Networks Inc. Tango Networks serves the enterprise market and describes themselves as ‘the only global mobile service integrated with MS Teams and Cisco Webex Calling’.
The Citizen Lab’s investigation delves into the distinct techniques of two separate bad actors. Each uses a different way to monitor the movements of phone users but their methods are susceptible to investigation through a thorough analysis of how they tamper with signaling.
Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution.
The first bad actor abuses signaling functions that are essential to roaming but which can also be used to infringe somebody’s privacy by repeatedly querying the location of their phone. These queries will use interconnect paths that differ from those documented in the IR.21 roaming filings that telcos are expected to provide to the GSMA. These paths are chosen because they exploit weaknesses within the interconnect ecosystem, including unsanctioned access for third parties, violations of protocols, and lax enforcement of interconnect security.
The second bad actor takes advantage of the long-known SIMjacker zero-click vulnerability which allows phones to receive silent instructions by SMS. These instructions can prompt the execution of code on some SIMs without the phone user’s knowledge or consent. This code will effectively report on the whereabouts of the phone by transmitting more silent SMS messages. The investigation links that particular exploit to the continued abuse of the Global Title (GT) addressing system for signaling surveillance.
Each bad actor exhibits a pattern that can be observed repeatedly.
Our final step was to correlate observed attack indicators with historical telemetry to measure the duration of campaign activity and repeated use of the same operator infrastructure over multiple years.
Bad Actor 1: Location Tracking through SS7 and Diameter Signaling
On November 25, 2024, a sequence of signaling messages sent from multiple foreign operator networks targeted a subscriber of a Middle East mobile operator in an attempt to determine the device location. After being alerted by the firewall security provider, the operator confirmed that the targeted IMSI belonged to a “VVIP” subscriber, indicating a high-profile individual and suggesting a targeted surveillance operation.
Further analysis indicated the same bad actor also monitored the movements of subscribers associated with telcos in Bangladesh, Denmark, Malaysia, Montenegro, Norway, South Africa, Sweden, Thailand and other countries. The bad actor made coordinated and alternating use of SS7 and Diameter signaling when querying a phone’s location. These queries rotated through 11 operator identities across nine countries to give the appearance of legitimate roaming traffic. Three distinct routing patterns were used to hide the true source of the queries and to defeat network firewalls.
- Direct Access via Tango Networks UK — Messages entered through Tango-associated infrastructure and were routed through the BICS IPX network.
- Direct Access via 019Mobile Israel — Surveillance traffic entered through 019Mobile-linked nodes before reaching IPX providers.
- Spoofed operator identity path (AIS Thailand/China Unicom) — Messages combined an AIS Thailand hostname with a China Unicom network realm while routing through 019Mobile to steer traffic through the Syniverse IPX.
019Mobile has denied that its nodes were used in this fashion. An email responding to The Citizen Lab’s findings from Gil Nagar, the Head of IT & Security at 019Mobile, stated that “no risk to our customers has been identified”. Even a moderately competent security professional should have realized that lax signaling security is a risk to customers of other telcos.
Bad Actor 2: Exploiting SIMjacker for Surveillance
SIMjacker is a privacy vulnerability identified in 2019 by Cathal Mc Daid and his colleagues at AdapativeMobile Security, now part of Enea. The method for exploiting SIMjacker has been comprehensively documented, both through the GSMA’s coordinated vulnerability disclosure process as well as a public explanation of how it works. The essence of the method involves silent SMS messages being sent to a phone without the user being made aware of them. The message received by the phone prompts the execution of code on the SIM, with the result that information about the phone’s location is relayed by further silent SMS messages sent by the phone.
Enea believes SIMjacker “is currently being actively used by a specific private company that works with governments to monitor individuals” but they have not named the company publicly. This did not prevent The Citizen Lab tracking the sources of SIMjacker attacks to SS7 addresses for mobile operators in Liechtenstein, Rwanda and Sweden. For example, an attack that occurred during February 2025 spoofed signals to make them appear to be from networks in Lesotho, Morocco, Mozambique, Namibia, Poland and Switzerland, but the instruction for the target SIM would have told it to send the return SMS messages to an address masquerading as an SMS Service Center for Telecom Liechtenstein. Thankfully, this particular attack failed because the SMS with the malicious instruction was blocked before it reached the target phone.
The GT used for this attack is within a range allocated to Telenabler, a Swedish mobile virtual network enabler (MVNE) that provides infrastructure and back-office support to multiple MVNOs. This is significant because Telenabler has been criticized by The Citizen Lab before. Per their words, the same GT is a ‘frequently detected source address used in location tracking operations’. Sadly, it is an ongoing sign of the telecoms industry’s preference for empty words over serious action that other countries have not emulated UK restrictions designed to tackle the abuse of GTs, and the GSMA Code of Conduct for GT Leasing still has no meaningful signatories, a full two years after it was first published.
Per The Citizen Lab’s research, there were more than 1,700 privacy attacks from this GT between October 2023 and April 2025, “with over 92% of its traffic linked to location tracking”. The data exhibited a significant overlap with the methods used by Fink Telecom Services, a Swiss business repeatedly linked to phone surveillance.
Will the Authorities Take Action?
There is copious evidence of privacy infractions enabled by weak or non-existent controls over the signaling, routing and authentication of electronic communications. It is harder to find examples of governments or regulators taking action to protect our privacy. The methods documented by Miller and Lange would not be effective if telcos were serious about their responsibility to the public. Based on my experience, too many security professionals who work for telcos are overly focused on protecting the company’s own IT, while being careless about protecting customers from the unique threats enabled by the flow of data between a phone, a network, and all the other networks it will interoperate with. But instead of offering my own rant, it is best simply to repeat Miller and Lange’s insightful conclusion in full.
This report is the first to map live SS7 and Diameter attack telemetry to operator identifiers and interconnect routes used in cross-protocol mobile surveillance operations. Rather than implanting device spyware or hacking corporate networks to carry out mobile espionage, the two actors leveraged legitimate operator signalling identities and trusted interconnections to carry out targeted surveillance across country borders. By blending their location queries into normal roaming traffic, and manipulating protocols and network identifiers, they effectively operated as “ghost operators” within the global telecom ecosystem.
The findings in this report expose how advanced actors operationalize telecom infrastructure to carry out campaigns persisting for years without detection. Telecom networks form the backbone of global civil society, and when trust is exploited for surveillance, the consequences extend beyond individual victims to mobile users worldwide. This investigation exposes more than protocol vulnerability issues in telecommunications; it shows governance failures across the entire interconnect ecosystem used for critical mobile communications. It also demonstrates how those weaknesses enabled the use of telecommunications infrastructure as a covert surveillance platform.
The global telecom ecosystem can no longer rely on legacy trust models. Without authentication, enforceable interconnect controls, transparency in commercial network access, and regulatory accountability, mobile networks will continue to serve as a global platform for covert espionage.
The new report by Gary Miller and Swantje Lange of The Citizen Lab, entitled “Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors”, can be found here.
