Security researchers have discovered two separate espionage campaigns that exploit known weaknesses in global communications infrastructure to track people's locations. Researchers say these two campaigns are likely just part of what is believed to be a broader exploit by surveillance vendors seeking access to global phone networks.
On Thursday, Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance breaches, released a new report detailing two newly identified campaigns. The surveillance vendor behind Citizen Lab, which Citizen Lab did not name, operated as a “ghost” company masquerading as legitimate cell phone providers, piggybacking on those networks and accessing their targets' location data.
This new discovery reveals the continued exploitation of known flaws in the technology that underpins the world's telephone networks.
One of them is the deterioration of Signaling System 7 (SS7) security. Signaling System 7 (SS7) is a set of protocols for 2G and 3G networks that has long been the backbone of how mobile phone networks connect to each other and route their subscribers' calls and text messages around the world. Researchers and experts have long warned that governments and surveillance technology manufacturers could exploit the SS7 vulnerability to determine the location of an individual's cell phone. SS7 does not require authentication or encryption, leaving the door open for unauthorized operators to exploit it.
The new protocol, Diameter, is designed for new 4G and 5G communications and is said to replace SS7, and includes security features missing from previous protocols. However, as Citizen Lab highlights in this report, cellphone providers do not always implement new protections, so there are still ways to exploit Diameter. In some cases, attackers can still exploit the older SS7 protocol.
The two espionage operations have at least one thing in common. Both allegedly exploited access to three specific communications providers that repeatedly served as “entrances and relay points for surveillance within the communications ecosystem.” As the researchers explained, this access allowed the surveillance vendors behind the campaign and their government customers to “hide behind infrastructure.”
The first one was Israeli carrier 019Mobile, which researchers said was used in several surveillance attempts, according to the report. British provider Tango Networks UK was also used for surveillance operations over several years, researchers said.
tech crunch event
San Francisco, CA | October 13-15, 2026
A third mobile phone provider, Airtel Jersey, is a carrier on the Channel Island of Jersey, now owned by Sure, whose network has been linked to previous surveillance campaigns.
Indeed, CEO Alistair Beak told TechCrunch that the company “does not directly or knowingly lease access to signaling to organizations for the purpose of locating or tracking individuals or intercepting their communications.”
“Sure acknowledges that its digital services may be subject to misuse, and therefore takes a number of steps to reduce this risk. Sure has implemented several safeguards to prevent misuse of its signaling services, including monitoring and blocking inappropriate signaling,” Beek's statement said. “If there is evidence or valid complaints of abuse of Sure's network, service will be immediately suspended and permanently terminated if an investigation reveals malicious or inappropriate activity.”
019 Mobile and Tango Networks did not respond to requests for comment.
Researchers say 'high-profile individuals' are being targeted
According to Citizen Lab, the original surveillance vendor used the infrastructure of multiple different mobile phone providers to facilitate multi-year espionage operations against various targets around the world. From this, researchers concluded that different government customers of surveillance vendors were behind different campaigns.
“Evidence points to a planned and well-funded operation deeply integrated into the mobile signal ecosystem,” the researchers wrote.
Gary Miller, one of the researchers who investigated these attacks, told TechCrunch that some clues point to an “Israel-based commercial geographic intelligence provider with specialized communications capabilities,” but he declined to name the surveillance provider. Several Israeli companies are known to offer similar services, including Circles (later acquired by spyware maker NSO Group), Cognyte, and Rayzone.
Contact Us Do you have more information about surveillance vendors abusing mobile phone networks? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email.
According to Citizen Lab, the initial campaign relied on attempting to exploit flaws in SS7 and switching to exploiting Diameter if those attempts failed.
The second espionage operation used a different method. As the researchers explained, in this case, another surveillance vendor behind it (Citizen Lab, which they also did not name) relied on sending special types of SMS messages to specific “high-profile” targets.
These are text-based messages designed to communicate directly with the target SIM card without leaving any trace to the user. Under normal circumstances, these messages are used by mobile phone providers to send harmless commands to the subscriber's SIM card, which is used to keep the device connected to the network. But researchers say the surveillance vendor instead sent commands that effectively turned the target's cell phone into a location-tracking device. This type of attack was named SIMjacker by mobile cybersecurity company Enea in 2019.
“I have observed thousands of attacks like this over the years, so I would say this is a fairly common exploit that is difficult to detect,” Miller said. “However, these attacks appear to be geographically targeted, indicating that attackers leveraging SIM jacking-type attacks are likely to know the countries and networks that are most vulnerable.”
Miller made it clear that these two campaigns are just the tip of the iceberg. “With millions of attacks taking place around the world, we focused on just two surveillance campaigns,” he said.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.