On April 23, 2026, Citizen Lab published “Bad Connection”1, its 192nd report, identifying two commercial surveillance vendor clusters that have been exploiting SS7 and Diameter signaling to track phone locations across borders. For the first time, the researchers named specific carriers those clusters repeatedly used as gateways: Israel’s 019Mobile, the UK’s Tango Networks, and Airtel Jersey, now operating as Sure on the Channel Islands.
What Citizen Lab Found: STA1 and STA2
STA1 has been active since at least November 2022, accumulating over 500 recorded threat events. On November 25, 2024, it ran a coordinated campaign against a Middle East “VVIP” executive: 11 operator identities across 9 countries, spanning four hours. The campaign mixed SS7 (3G) and Diameter (4G) signaling commands, including provideSubscriberInfo, anyTimeInterrogation, sendRoutingInfoForSM, Insert-Subscriber-Data-Request, and Authentication-Information-Request, to locate the target.
STA2 is a distinct campaign with a different attack vector. The report identifies it as a SIMjacker variant active from February 2025, deploying zero-click binary SMS messages carrying S@T browser commands that extract location without user interaction. More than 1,700 SS7 attacks are traced to Swedish MVNO enabler Telenabler AB (global title: 467647531812) between October 2023 and April 2025; 92% were location-tracking operations.
The two clusters should not be collapsed into a single attack type. STA1 is a persistent, multi-vector actor mixing 3G and 4G signaling channels. STA2’s SIMjacker component is a narrower, zero-click path through a different protocol layer. Gary Miller, one of the report’s authors, noted in TechCrunch’s coverage2 that “we only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” and said he has observed thousands of such attacks over the years.
How Ghost MNOs Exploit SS7 and Diameter Signaling
The attack surface is not a software bug. The Citizen Lab report1 states that these vulnerabilities are “inherent to global telecommunications design,” which is a precise way of saying that SS7 was built on the assumption that every node on the network is a trusted carrier. That assumption has not held for at least a decade.
The operational model relies on ghost MNOs. Surveillance actors purchase access through legitimate operators or third-party providers, enabling them to send tracking requests that appear to originate from legitimate carriers. The target’s home network has no reliable mechanism to distinguish a request from a commercial surveillance vendor piggybacking on a licensed MVNO from a request from the MVNO itself.
Roaming interconnect is a trust delegation, not a verified channel. When a carrier sells or leases signaling access to a downstream buyer, it extends its trust envelope to whatever that buyer does with it. The Citizen Lab FAQ3 documents how this creates entities that are invisible to the target’s carrier while appearing legitimate to the network layer routing their queries.
The Three Named Carriers and Their Responses
019Mobile (Israel), Tango Networks (MCC 234, MNC 053, UK), and Airtel Jersey (Channel Islands, now owned by Sure) appear repeatedly as entry and transit points across both campaigns documented in the report.
Sure CEO Alistair Beak told TechCrunch that the company does not lease signaling access2 “directly or knowingly to organisations for the purposes of locating or tracking individuals.” The qualifier “knowingly” is doing significant work in that sentence. 019Mobile representative Gil Nagar said the company “cannot confirm” the identified infrastructure belongs to it. Tango Networks did not respond.
These are the three available positions: denial of intent, uncertainty about attribution, and silence. None of them address whether roaming access sold to downstream resellers ends up in surveillance vendor supply chains. That is the structural question, and none of the carriers answered it.
Why Naming Carriers Changes the Enforcement Calculus
SS7 abuse has been documented publicly since at least 2014. The regulatory response over the intervening years has consisted primarily of generic advisories, voluntary operator security standards, and parliamentary inquiries that named no licensees and compelled nothing.
The enforcement problem has always been structural: when threat actors are described as “unknown actors exploiting a known protocol,” there is no licensee to sanction, no specific jurisdiction to assert, and no named respondent for a regulator to summon. The Citizen Lab report changes that framing. 019Mobile holds an Israeli telecommunications license. Tango Networks UK holds a UK MVNO license regulated by Ofcom. Airtel Jersey’s operations are now under Sure, subject to the Jersey Competent Authority.
Naming them converts “protocol vulnerability” into “licensee behavior.” Ofcom, the Jersey Competent Authority, and the Israeli Ministry of Communications now have specific entities they can require to audit downstream reseller relationships, report on who holds signaling access, and demonstrate that roaming interconnect is not being sold into surveillance-vendor supply chains. Whether those regulators act is a separate question; the precondition for action has been met.
The regulatory ask in the report is the same one that has failed for a decade: make roaming-interconnect licensees liable for what their access enables. The named respondents are new. The ask is not.
The AI Policy Angle: Surveillance Pipelines Below the Model Layer
The commercial surveillance vendor infrastructure documented here predates the current AI development cycle by years. STA1 has been running since at least November 2022. The ghost MNO model, purchasing signaling access through legitimate carriers and routing location queries through the global SS7 network, operates independently of whatever targeting technology sits above it.
The EU’s Pegasus inquiry documented how commercial spyware vendors operate as service providers to state actors, keeping the surveillance capability at arm’s length from the direct user. The SS7/Diameter pipeline in “Bad Connection” is the same template at the protocol layer. A model that ingests intercept data or location history does not change the enforcement problem at the carrier level; it moves accountability up the stack while leaving the protocol-layer enablement intact.
Current AI legislative frameworks focus on the model: training data provenance, output auditing, prohibited use categories. None of those interventions reach the signal collection layer. If a surveillance vendor integrates an AI targeting system over an SS7 location feed, the AI layer becomes auditable in principle while the feed remains unaddressed. The enforcement gap is below the model, and it predates any of the current AI regulatory frameworks by years.
What Regulators Can Do Now
The structural ask is licensee liability: any carrier that sells or leases signaling access to a downstream buyer should be required to audit and report on that buyer’s use, and to hold downstream contracts to the same prohibitions that apply to the primary licensee. This mirrors how spectrum resale and MVNO hosting agreements already work in most jurisdictions, minus the accountability provisions.
Ofcom has jurisdiction over Tango Networks UK. The Jersey Competent Authority has jurisdiction over Sure. The Israeli Ministry of Communications has jurisdiction over 019Mobile. All three regulators now have a Citizen Lab report with specific operator identifiers and attack logs tied to specific carriers.
The report has done the attribution work. The carriers are named, the attack logs are documented, and the protocol commands are on record. The gap between “regulators have enough to act” and “regulators act” is no longer a question of evidence.
Frequently Asked Questions
Does 5G eliminate the SS7/Diameter trust gap?
Partially. 5G replaces SS7/Diameter with HTTP-based service architecture and adds a Security Edge Protection Proxy (SEEP) that encrypts and authenticates inter-operator signaling. However, SEEP authenticates operators, not their downstream resellers—the same ghost-MNO delegation problem recurs at a different protocol layer. During the multi-year 4G-to-5G transition, networks must interwork with legacy SS7/Diameter, so the old attack surface persists alongside the new one.
How does STA2’s SIMjacker variant differ from the original 2019 SIMjacker disclosure?
The 2019 SIMjacker (disclosed by Adaptive Mobile Security) exploited the S@T browser on SIM cards through a single malicious SMS to a specific handset. STA2’s campaign operates at industrial scale: it routes zero-click S@T payloads through purchased MVNO signaling access via Telenabler AB, enabling mass targeting rather than one-at-a-time exploitation. The underlying SIM card vulnerability is the same, but the delivery infrastructure is surveillance-as-a-service.
Why can’t carriers just block the SS7 commands used for location tracking?
Because those commands serve essential legitimate roaming functions. provideSubscriberInfo and anyTimeInterrogation let a visited network confirm a roamer’s identity and location so calls and SMS can be delivered. sendRoutingInfoForSM is how SMS delivery is coordinated across networks. Blocking them outright breaks international roaming for every subscriber. The GSMA’s voluntary guidance (FS.07, IR.81) recommends pattern-based traffic filtering—flagging anomalous query volumes or geographic inconsistencies—rather than command-level blocking, which is why carriers deploying SMS firewalls against spam have the closest existing infrastructure to adapt.
What happens if the three named regulators take no action?
The economic incentive structure stays intact: signaling-access resale is a low-margin, high-volume business with no audit requirement, so carriers that skip downstream due diligence face no competitive penalty. Gary Miller’s observation that the report examined two campaigns ‘in a universe of millions’ implies the three named carriers are a sample of a much larger set of entry points. Without enforcement precedent at any one jurisdiction, every other carrier serving as an unknowing transit node has no reason to change reseller agreements.
Is a mobile subscriber on a network that deploys SS7 firewalls still at risk?
Yes, because the tracking request typically traverses the target’s home network as a legitimate-looking roaming query from a foreign operator. SS7 firewalls operate on heuristics—volume spikes, unusual origin GTs, off-hours patterns—but STA1’s VVIP campaign rotated through 11 operator identities across 9 countries in four hours, precisely the kind of low-and-slow distribution that evades threshold-based detection. The firewall protects against blunt attacks, not against adversaries who spread their queries across enough compromised operator identities to stay under per-origin limits.