Citizen Lab Found Two Spy Campaigns Hiding Inside Telecom Networks—Your Carrier Helped Them Track You

What Citizen Lab Found

On April 23, 2026, the Citizen Lab published research documenting two separate surveillance campaigns that exploited well known weaknesses in global telecom infrastructure to track people's physical locations. The campaigns ran for several years and targeted individuals across multiple countries.

The surveillance vendors behind the campaigns operated as ghost companies, pretending to be legitimate cellular providers. They piggybacked on real telecom networks to query location data for their targets. When one attack method failed, they automatically switched to another.

How the Attacks Work

Both campaigns abused protocols that underpin how cell networks communicate with each other. The first campaign targeted SS7, the signaling protocol designed in the 1970s that still routes calls and texts between carriers worldwide. SS7 has no authentication, no encryption, and no way to verify that a signaling request comes from a legitimate operator. If the SS7 attack failed, the vendor automatically fell back to Diameter, a newer protocol that carries similar vulnerabilities.

The second campaign used a different technique entirely: SIMjacker style attacks that sent specialized SMS commands directly to a target's SIM card. These commands instructed the SIM to report the phone's location back to the attacker, effectively turning the phone into its own tracking device without the user's knowledge or any visible notification.

The Telecom Entry Points

Citizen Lab identified three specific telecom providers that repeatedly served as entry points for the surveillance campaigns:

• 019Mobile, an Israeli operator, was used in several surveillance attempts
• Tango Networks U.K., a British provider
• Airtel Jersey/Sure, a Channel Islands operator now owned by Sure

These providers were not necessarily complicit. Surveillance vendors may have obtained legitimate access agreements, used shell companies to lease network capacity, or exploited weaknesses in how interconnect agreements are verified. The result was the same: the vendors gained a foothold in the global telecom fabric and used it to reach targets on any carrier, in any country.

Who the Vendors Are

Citizen Lab did not name the surveillance companies. Researcher Gary Miller, who contributed to the analysis, assessed that the first vendor is likely an Israeli based commercial geo intelligence provider. Security researchers have previously linked similar operations to companies like Circles (acquired by NSO Group), Cognyte, and Rayzone, all of which sell location tracking capabilities to government clients.

The second vendor also remains unnamed. Miller noted that these two campaigns represent only "two surveillance campaigns in a universe of millions of attacks across the globe," suggesting that the scale of telecom surveillance is far larger than what any single investigation can document.

Why This Is Hard to Stop

SS7 was built for a world where every telecom operator was a trusted, government backed monopoly. There was no need for authentication because every participant was assumed to be legitimate. That assumption collapsed decades ago, but the protocol still underpins global cellular communications.

Upgrading is technically possible but economically painful. Thousands of carriers across hundreds of countries would need to coordinate. Some have implemented SS7 firewalls that filter suspicious requests, but coverage is inconsistent and the surveillance vendors adapt their techniques to evade detection.

The UK government disclosed the same week that 100 countries now have access to commercial spyware capable of hacking phones, up from 80 countries in 2023. Telecom based location tracking is just one layer in a growing commercial surveillance ecosystem that governments are buying into rather than regulating away.

What You Can Do

Individual protection against SS7 surveillance is limited because the attack happens at the network level, not on your device. But there are steps that reduce your exposure:

• Use encrypted messaging apps like Signal for sensitive communications. SS7 attacks can intercept SMS and voice calls, but not end to end encrypted messages.
• Disable SMS based two factor authentication where possible. Use authenticator apps or hardware keys instead.
• Be aware that your phone number is a tracking vector. Every cell connection reveals your approximate location to your carrier, and through SS7, potentially to anyone with network access.
• For high risk individuals (journalists, activists, lawyers), consider using a dedicated device for sensitive work and keeping it powered off when not in use.

The same principle applies to email. Just as your carrier can be exploited to track your location, marketing emails use tracking pixels to monitor when and where you open messages. The surveillance tools differ, but the pattern is the same: infrastructure you trust is being used to watch you.

The Bigger Picture

Citizen Lab's report arrives alongside a wave of disclosures about surveillance infrastructure. In the United States, police are already using ad tech to track 500 million phones without warrants. Chinese state actors have planted sleeper backdoors in telecom networks that can track any phone. And commercial spyware vendors continue to sell phone hacking capabilities to any government willing to pay.

The telecom system was not designed for a world where surveillance is a commercial product. Until it is fundamentally rebuilt, every phone on Earth is a potential tracking target for anyone with the right network access and enough money to buy it.