Citizen Lab identified two ghost-operator surveillance vendors exploiting SS7 and Diameter flaws to geolocate targets via 019Mobile, Tango Networks UK, and Airtel Jersey.
Key Takeaways
Both campaigns used “ghost” cellular providers piggybacking on real network access to run location lookups without direct carrier accountability.
SS7’s lack of authentication and encryption remains exploitable; Diameter’s successor protections are inconsistently deployed by carriers, allowing fallback attacks.
The first vendor chained SS7 attempts with Diameter fallback; the second used SIMjacker-style binary SMS commands that leave no visible trace on the target device.
Researcher Gary Miller points to an Israeli-based commercial geo-intelligence firm; Circles, Cognyte, and Rayzone are named as comparable known vendors.
Citizen Lab frames these two campaigns as a narrow sample of what they estimate are millions of attacks globally, with government customers driving demand.
Hacker News Comment Review
Commenters highlight that insider access at telcos is a parallel and underreported threat vector: employees with legitimate system access have stalked individuals using the same location lookup infrastructure, with victims dismissed by law enforcement.
There is broad consensus that the surveillance-state professionalism assumption is false: documented LOVEINT cases at NSA and comparable insider abuse show that access concentration produces individual-actor misuse well before any formal campaign.
Discussion notes geographic normalization: in some countries, this type of telco location data surfaces on black markets at low cost and is routinely cross-referenced with other identifiers, suggesting the “sophisticated campaign” framing understates commodity availability.
Notable Comments
@aetherspawn: Describes a real stalking case where a telco-employed ex-partner tracked a victim across new SIM cards and phones by name lookup, with police dismissing reports.
@areoform: “One of the biggest lies about the surveillance state is that it’ll be professional” – cites LOVEINT cases and foreign-national employee misuse of US intelligence assets.
