Time is like land. We cannot appreciate the landscape by examining the soil underfoot and we cannot appreciate trends by checking our social media feeds to see what has changed from one minute to the next. We may put boundaries around it, we may buy it and sell it, and we may cut it into smaller and smaller chunks but the sum of many small pieces is much less than a whole. This website began in 2006; it is now in its twentieth year. There is an irony in competing for attention day after day when only the passage of years reveals what is important.
This is the nineteenth annual review that I have written. The tradition of writing these reviews helps me to appreciate the value of time, and what time can be worth to a person when measured on every scale that can be understood emotionally as well as intellectually. The annual review is often the most time-consuming article to write. It is read by relatively few people. So why do I keep writing it? Because writing it benefits me, irrespective of who reads it. If you benefit from it too, then you must be somebody who looks to the horizon, both at sunrise and sunset. Our histories and our futures comprise much more than any individual person can accomplish alone. It is better to look up occasionally than to spend an entire life charting its progress by looking only one step ahead.
Previous editions of the annual review presented the events of the year in a broadly chronological order. That is no longer possible. Life is becoming too complicated, and so is risk. Some events occur too frequently to be worth enumerating the entire sequence. Other events reflect trends that span years. Those trends will remain invisible to people who always look at their feet, and are hence prone to wandering into hostile terrain.
This website used to be about interrogating data and mapping processes to avoid mistakes, increase efficiency and maximize returns. We are now at the point where I am still asking professionals in the comms sector to interrogate data and map processes, but only because the mistakes we have made are causing misery and costing human lives. That is not a long-term trend that makes me happy, but businesses will continue along the same path if they continue to confuse choices over individual steps with a choice about life’s direction.
These were the most important themes of 2025.
The East Fought Organized Crime; The West Blocked Traffic
The civil war in Myanmar liberated thousands of people held in scam compounds; 2,876 returned to China just between late February and mid-March. Others languished in Myanmar because national authorities were slow to provide the aid required to repatriate so many people at once. Meanwhile, there were gruesome stories about the torture and murder of people lured or tricked into working in Cambodian scam compounds.
A Chinese court sentenced 16 scamlords to death, continuing a strategy that concentrates on extraditing organized crime bosses and using harsh punishments as a deterrent. China also showed a willingness to go after the people involved in people trafficking, including a 17 year old girl who received RMD100,000 (USD13,950) for selling her boyfriend to scam compound slavers.
The USA also persevered with its contrarian strategy, which involves not posing any threat to criminals but instead threatening to punish other countries if they do not participate in a public relations exercise that could hypothetically lead to an extraordinarily elaborate international system for exchanging data which might potentially catch a criminal within the next 10 or 20 years. It is necessary to stop treating the USA as the benchmark by which other countries are measured, despite the deep cultural prejudices of people who try to measure everything that way. The USA is an outlier, as it often has been during the history of telecommunications. For example, when we ask how many countries have already had success with reducing scams by blocking inbound international calls that spoof a domestic phone number, the answer is ‘many’, but when we ask American thought leaders if they will do the same, some answer ‘it is not possible’. Or it was impossible, until the Federal Communications Commission asked if it should be done anyway.
We know the US approach is guff because industry lobbyists have to lie to government to maintain the illusion that everything is going to plan. The US Federal Communications Commission (FCC) is always willing to brag about any success in reducing robocalls so it is telling that their annual robocall reduction report for calendar year 2024 was published on December 23, 2025. They are legally obliged to produce an annual report detailing how many people were punished for breaking robocall laws (hint: you can count the number for 2024 with one finger). Most people never notice that report because that is why the FCC publish it a year late and when nobody is paying attention. Ssome American politicians would like voters to believe they will solve the problem of scams by going after their political enemies because attacking your political enemies is the solution for every possible problem. But if your side of the divide is being attacked then you need not be too concerned about fairness, because there will be attacks going in the other direction too.
Some Western comms providers spent more time trying to monetize scam prevention than reducing scams because they are loathe to cut revenues by reducing the flow of traffic. The folly of trying to protect the public by stopping criminal traffic without trying to stop criminals was laid bare by statistics which showed a massive increase in the amount of traffic being blocked. Endre Syvertsen of Telenor Linx disobeyed the industry’s code of silence by openly admitting that the current approach cannot succeed.
We now flag one third of all calls we handle as fraudulent and block them. This is not sustainable and an issue threatening the entire industry’s reputation!
The Year of the SMS Blaster
The Commsrisk Global Fraud Dashboard was launched in May with the hope that policymakers might use robust comparative data from multiple countries to determine the best methods of tackling fraud instead of being influenced by: (1) salesmen; (2) lobbyists; or (3) whichever vacuous opinion poll will next be mercilessly promoted by the publicity-hungry clowns at the Global Anti-Scam Alliance (GASA). We can but hope. One small positive is that GASA has so effectively monopolized the market for vacuous opinion polls about how to fight fraud that the other vacuous opinion polls will have no influence whatsoever.
Establishing the dashboard was an unusually optimistic exercise, especially as it involves increasing the costs of running Commsrisk without any realistic prospect of raising any money to cover those costs. (Note to potential sponsors of Commsrisk: no, I do not wish to share research showing how your so-called AI will save untold millions by downsizing the number of risk professionals in work today magically doing stuff without anybody seemingly losing their job.) One particular chart has proven to be a breakout success. The map of SMS blasters conclusively illustrates the rapid international spread of fake base stations that are being used to send SMS messages. It also demonstrates how combining a little bit of technology with a little bit of diligence generates more revealing data about crime than a hundred daft opinion polls. It is amazing what you can learn just by routinely comparing photographs from SMS blaster busts in multiple countries.
We can prove the map has been a success because the daily automated searches previously only found stories about SMS blasters being confiscated by police forces in specific countries. Now the daily search identifies lots of articles that contain a list of countries where SMS blasters have been found which is identical to the countries marked on our map. Some of these articles even give credit to Commsrisk. Others must have obtained their information from that same mystical hole in the sky which also gives birth to so many other facts about the activities which criminals are trying to keep secret.
Up to the end of 2024, there had been at least one report of rogue base stations being used to send SMS messages in each of the following 11 countries: Brazil, China, France, Malaysia, New Zealand, Norway, Philippines, Taiwan, Thailand, the UK and Vietnam. China has always led the way: Chinese authorities identified the problem of SMS blasters first; they cracked down on their use first; but China continues to be home to manufacturers of SMS blasters that now export their products to other countries. Their export trade must be going well. Nine new countries were added to the list during 2025: Cambodia, Indonesia, Iran, Japan, Oman, Qatar, Serbia, Switzerland and Türkiye.
There was also a notable increase in the number of reports of SMS blasters from countries that are already doing the most to detect them. The Brazilian police ran a national workshop on how to locate SMS blasters while a member of the British public called the cops after realizing an SMS blaster was being used to scam passengers on London’s subway trains.
The Philippines tried to tackle the crime by arresting importers of SMS blasters. That did not discourage the Philippine government fostering anxiety about IMSI-catchers being driven around the country by Chinese operatives for espionage and to interfere in elections.
One problem with explaining the threat to the public posed by SMS blasters is that it takes a lot of effort to find them and there are governments, police and telcos who really do not want to find them. Japan now serves as the prime example of a society where nobody in power wanted to find SMS blasters but members of the public found them anyway.
The other problem with explaining the threat posed by SMS blasters is that they are unlikely to be used by criminals in countries where there are much cheaper and easier ways to send lots of spam and scam SMS messages to the public. So that explains why none have been found in the USA yet. Only a dullard believes the criminal use of SMS blasters can be prevented by switching 2G networks off; Japan was the first country to switch off 2G but this year multiple members of the Japanese public spotted a car with fake number plates that carried an SMS blaster around the busiest districts in Tokyo.
Thinking outside of the Simbox
The use of simboxes for fraud is such a well-worn topic that it is even older than this website. However, the market for simboxes has been rejuvenated by fraudsters who make their money by stealing from consumers instead of bypassing carrier fees. This has become such a serious issue that the government of the United Kingdom ended decades of previous confusion about the legal status of simboxes by making it a crime to possess or supply a simbox without a legitimate reason, although they ignored the opportunity to ban SMS blasters at the same time. Similar prohibitions are being sought elsewhere. For example, the first report from South Africa’s Communications Risk Information Centre, an alliance comprising all the country’s big operators, demanded a nationwide ban on simboxes.
Criminal outfits are using vast arrays of simboxes to provide cybercrime-as-a-service, as demonstrated by a police raid which seized 1,200 simboxes in Latvia. SIM cards from telcos in almost 80 different countries were found during the raid. One of the main uses of these SIMs is to ‘authenticate’ new accounts on online communication services (OCS) like WhatsApp, so those OCS accounts can then be used by scammers working from scam compounds. The Indian government, alarmed at the rising number of bad accounts on WhatsApp, will impose new rules that bind SIMs to OCS accounts, thus making it much harder for scammers to remain remotely logged into their OCS accounts via the web.
Meanwhile, senior American law enforcement officials apparently believe that vast deployments of simboxes may be assembled by nation state actors to conduct crude and ineffectual denial-of-service attacks. The US Secret Service was especially unlucky with their timing when they raided 300 simboxes in New York. They immediately fed the press a lot of hooey about the potential to attack the United Nations (!) while saying almost nothing about the potential to scam the public (?), presumably because they were unaware that Europol was intending to issue a much more intelligent announcement about the criminal uses of simboxes after the raid in Latvia, which occurred just a few weeks later. Or perhaps the brightest minds in American law enforcement really believe that hostile nations like Russia might import 300 simboxes into the USA just so they can very briefly take down phone networks which serve 20 million New Yorkers despite nobody suggesting that Russian gangsters were using the 1,200 simboxes in Latvia to deny service to the 2 million inhabitants of a country situated right next to Russia and previously invaded by Russia.
One notable consequence of the increased criminal use of prepaid SIMs supplied by US telcos and installed in simboxes is that the industry-financed US traceback consortium kept reporting increasing numbers of scam calls being traced to US mobile operators. And one notable consequence of the industry-financed US traceback consortium reporting increasing numbers of traces to US mobile operators is that the FCC stopped publishing the quarterly reports which showed how many traces led to US mobile operators. An alliance of all 51 state prosecutors passed up this obvious opportunity to question the adequacy of the KYC checks and anti-fraud analytics of the big US MNOs, and instead decided to focus on the role played by the big national carriers — Inteliquent, Bandwidth, Lumen, and Peerless — in conveying harmful and unwanted robocalls. The prosecutors based their decision on information dating back to 2019. At least this demonstrates that the best brains in American law enforcement are not kidding when they say they find it difficult to keep pace with the changing tactics of organized crime.
Apologies to American readers who have been upset by my commentary in recent years. However, the root cause is the incompetence and mendacity of the people running the USA. US politicians and business executives rarely serve the interests of the American people and it is a bitter shame that those Americans with the qualifications to reach this conclusion are fearful of the consequences of stating it aloud. As an impartial messenger, I am glad to point out examples of Americans doing a good job of protecting the public from networked abuses on those occasions when I find them. There were two American women among my unsung heroes of the year.
In case you wondered, there have been no reports of arrests as a result of 300 simboxes and 300,000 SIM cards being seized in New York.
The Endless Success of Self-Regulation
2025 was another year when industry associations reminded everybody of the benefits of cooperation and lauded the many examples when self-regulation had obviated the need for actual regulation. Here is the entire list of every self-congratulatory self-regulatory initiative that came to fruition during 2025.
- Ummm
- Errr
- Somebody giving a speech about something something collaboration something something whac a mole something something robust something something is our highest priority
Self-regulation proved so effective that Ofcom, the UK comms regulator, grew so tired of waiting for telcos to voluntarily adopt the GSMA Code of Conduct to stop the leasing of Global Title that Ofcom made it mandatory for UK telcos subject to their jurisdiction.
I was joking about the lack of success for voluntary initiatives, of course. The know-your-customer (KYC) Code of Conduct that I drafted was approved by the i3Forum and is now with One Consortium for their consideration. But if anybody from the i3Forum board is reading, they may be upset with my observation that it should not have needed an entire year just to get a four-page document approved and published.
On the topic of collaboration, the Global Informal Regulatory Antifraud Forum (GIRAF), the association of regulators created as an adjunct to One Consortium, issued their first communiqué. It set the right tone. Now the emphasis needs to shift towards delivering results. The extent of the results will depend on whether these regulators are willing and able to take tougher action than before.
There was some progress with cleaning up the comms ecosystem, and it may have been considered voluntary depending on your point of view. Bankai Group, prominent sponsors of so many comms industry collaborations, was suspended from One Consortium and i3Forum. This came after Bankai CEO and owner Bankim Brahmbhatt and several of his companies voluntarily entered Chapter 11 bankruptcy. However, the specific moment when it became desirable to suspend Bankai Group was only apparent after investors claimed Brahmbhatt and his companies owed them USD500mn as a result of “breathtaking fraud”. The Commsrisk article discussing Bankai’s suspension attracted more readers than any other article this year, which may be indicative of Bankai’s reputation among its peers.
South Korea Becomes the New Benchmark for Fighting Networked Crime
Great scholars like Ibn Khaldun have observed that history progresses in cycles. Tough, uncultured barbarians conquer their rich, soft and lazy neighbors. The invaders then emulate the culture they defeated, then later surpass it, then having grown soft, they suffer decay and then defeat by another barbarian horde. Some hardship is necessary to promote vigor; too much comfort results in sloth. These observations are consistent with the countries I would have listed as leaders in establishing policies and practices that reduce networked crime. They are:
- Singapore
- India
- Australia
- Ireland
South Korea was not previously on my list of countries that set precedents which others should follow. 2025 changed that for a few very simple reasons.
- South Korean telcos were responsible for a string of calamities.
- South Koreans were kidnapped by scamlords in record numbers.
- Scams received prominent coverage in Korean news and fiction.
- The government recognized the enormous crisis in public confidence.
- They began to act urgently to tackle that crisis.
I would not suggest it is desirable for a country’s leading mobile operator to suffer such a bad breach of sensitive customer data that even its CEO called it “the worst hacking incident in the history of the telecommunications industry”. It gives me no joy to observe their leading competitor wrongly blamed customers for micropayment frauds that were actually due to shockingly lax controls over network nodes. But at least these scandals, coupled with a 20-fold increase in the number of South Koreans kidnapped and made to work in Cambodian scam compounds, did succeed in motivating more dynamic consumer protection initiatives than found elsewhere. They include:
- A program that has replaced tens of millions of SIMs in a short period and which has bound SIMs to handsets to prevent SIMs being duplicated by criminals.
- The creation of a 24/7/365 national telco-banking scam response center that can take a suspicious phone number out of service within 10 minutes of an adverse report.
- The installation of free AI software that listens to voice calls and interrupts suspected scams on all consumer handsets.
- Mandatory live facial recognition for new and replacement SIMs by the end of March 2026.
- Nationwide audits of the security of comms services.
- Warnings against travel to much of Cambodia.
These policies may work. They may fail. But those who do not pay attention have no hope of learning from them. Anyone who genuinely wants to do the best possible job of protecting the public from scams should pay attention to the results attained in South Korea.
And Let Us Not Forget Global War of a Type People Find Hard to Imagine
There are so many battlefronts between nations that it becomes impossible to list them all, even if we restrict our scope to the ones involving networks. There is interference with submarine cables, arguments about spectrum sovereignty, ‘liberal’ governments giving themselves the power to issue secret orders to telcos, foreign corruption of Members of the European Parliament, and the CIA recruiting agents via TOR.
Notice how I have not yet mentioned the frequency with which the USA finds dubious reasons to deny Chinese telcos and manufacturers access to American markets, although it is understandable that American leaders will be angry about Salt Typhoon for a very long time. Then again, the solution to weak security is not to blame your enemies for exploiting it. And nobody in China was to blame when an American journalist was added to a group chat where the Vice President and Secretary of Defense discussed secret military operations while swapping disparaging comments about Europe’s weakness.
To 2026
It should not be surprising that the communications industry finds it easiest to flourish when there is a single internationalist world order, of the type that coincided with the rise of mobile operators and ISPs. The comms sector faces a corresponding struggle with the current reality: we have a fractured world where countries secretly (and not-so-secretly) fight each other every day. Crime and warfare are converging in the networked domain. This means 2026 should be a year when significant investment is put into hardening networks, hardening processes, and hardening people by making them conscious of the risky state of the planet. We all need to be more conscious of the ease with which bad people can exploit victims no matter how great the distance between them.
But that probably will not happen. We will instead have blowhards trying to make a quick buck by pretending to have magic solutions that mitigate threats. We will have politicians and executives pretending to work together to further the nation’s interests. We will have authoritarian countries openly wrestling with liberal democracies. And Europe will keep struggling to agree a coherent strategy for safeguarding its economy and its people despite finally abandoning the pretense that its interests always align with those of the USA. In a world where China protects itself by making things, India protects itself by making things, and North America protects itself by rediscovering the ability to make things, Europe will persist in defining itself as a purchaser and regulator of products and services supplied from elsewhere, despite the dawning realization that Europeans cannot be safe if they cannot construct their own defenses.
After surveying the intolerable lack of strategic forethought applied to the management of risk in the comms sector, I find myself wondering if it is worth engaging with this topic any longer. Did I mention that this is the twentieth year of this website? If anything, I believe the comms sector is worse at gathering objective data and using it to evaluate risk and the effectiveness of potential mitigations than it was before Commsrisk started. Previously comms providers had the excuse that their biggest worries revolved around the company’s quarterly reports and the impact they might have on the share price. Now the threats are existential. Just ask Ukrainian risk managers about the challenge of keeping their networks up.
I have been a minor contestant in plenty of public brawls over consumer protection during the last few decades, with only a few of those brawls being decided in my favor. There is an argument for stepping away and enjoying as peaceful a life as possible if the world’s leaders will inevitably wreak havoc on us all anyway. If artificial intelligences are going to seize control of the planet then they should hurry up. The new machine overlords could hardly do a worse job than the autocrats and buffoons they would replace. If nothing else, I assume AIs will be less susceptible to bribery.
However, the question of whether to step away from this domain is currently moot. New business opportunities will lead me to attend many more industry events during 2026 than I did in 2025, so I might as well keep this website going, irrespective of threatened lawsuits from businesses that barely attempt to conceal the extent of their corrupting influence on governments. Much of the content produced for Commsrisk also fuels my public speaking. Writing sharpens thought. And, contrary to popular belief, being a pessimist means I am usually glad to be proven wrong. The Global Fraud Dashboard is a good idea that should be used to inform policy decisions, especially if we can devote enough resources to its further development. So if decision-makers start relying on its contents, and if people like you donate to its imminent crowdfunding campaign, then I may well find myself writing another annual review in 12 months from now.
The increased time I will spend at industry events will necessitate a reduction in the rate that I write articles for Commsrisk. Unless other authors are willing to fill the void, the output from this website will drop from three to two articles per week. I will commit to delivering one new article each Monday and Thursday. If this year’s review sounds especially cynical, bear in mind that I asked at the end of the 2024 review whether new writers would step forward to help me keep this website running. Many more volunteered than actually contributed. I treat that outcome as another objective measure of the flaws in human subjectivity. Most people like to think of themselves as capable of giving a lot more than they will actually give. It also explains why collaboration in the pursuit of the common good usually involves a larger group of people seeking credit for the work of the much smaller group that actually did it.
If the new year rolls onward and there is still too little sense of urgency, both from the public sector and private sector, despite the scale of the challenges we now face, and if empty vessels like GASA continue to make the most noise, on behalf of multinational corporations whose only goal is to whitewash their soiled reputations, then I fear this 20-year experiment will conclude with the realization that solid facts were never enough to save ordinary people from the consequences of the recklessly selfish behavior of our masters and their retinue. I have never written such a bleak ending to an annual review before. It is appropriate for the times we are now living through.
