Citizen Lab uncovered a coordinated global surveillance campaign that blends 3G and 4G signalling tricks with malicious SMS tricks to pin down mobile users. Two threat actors exploited operator identities, rerouted traffic through trusted interconnect paths, and reused identifiers across years, turning ordinary phones into covert tracking beacons.

The operation began after Cellusys flagged odd traffic in its firewall logs in late 2024. A high‑profile executive’s number surfaced as a target, prompting investigators to trace signals across operators in the UK, Israel, and the Channel Islands. The pattern revealed a long‑running, purpose‑built surveillance platform.

Technical analysis mapped malicious SMS payloads that issue hidden SIM‑card commands, siphoning location data. Analysts matched signalling IDs, BGP routes, and DNS records to operators in 20+ countries, including Sweden, Italy, and Mozambique. Reused identifiers created persistent clusters, allowing actors to evade attribution and persist for years.

These findings expose a systemic flaw: a global inter‑operator trust model that lets covert actors hijack routine mobile traffic. Regulators now face pressure to tighten intercarrier screening and enforce stricter oversight, or the same network infrastructure will continue to fuel clandestine surveillance.