Citizen Lab’s 192nd report, published April 23, 2026, identifies three telecom carriers — 019Mobile, Sure/Airtel Jersey, and Tango Networks UK — as recurring entry-and-transit points for two distinct surveillance campaigns. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) The structural finding is more consequential than the carrier names: even when a target’s home network runs Diameter with 3GPP protections in place, the roaming architecture allows transit carriers to force a fallback to SS7, collapsing the security assumptions of anyone who believed upgrading to 4G/5G had closed the signaling exposure. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
Two Campaigns, Three Carriers
The report, authored by Gary Miller and Swantje Lange, documents two surveillance-vendor campaigns the researchers designate STA1 and STA2. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
STA1 targeted a “VVIP” subscriber — described as a well-known company executive at a Middle East operator — on November 25, 2024. The attack used coordinated SS7/Diameter protocol switching across 11 spoofed operator identities spread across 9 countries. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) The breadth of that identity spoofing is not incidental; it reflects deliberate operational tradecraft to obscure the signaling origin.
STA2 is technically distinct. It combined SIMjacker — a zero-click SMS exploit that invokes the S@T browser running on the target’s SIM card — with malformed Diameter Authentication-Information-Request probes carrying a Visited-PLMN Id value of 0000. That attack routed through Jersey Airtel infrastructure in February 2025. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
What connects the two campaigns is the set of transit carriers through which attack traffic consistently passed.
How the Combined Attach Procedure Breaks the ‘Diameter Is Safer’ Assumption
The combined attach procedure is the mechanism defenders need to understand. When a roaming device registers simultaneously on 3G and 4G networks — which is what combined attach enables — it carries dual registration state. An attacker who hits a Diameter check on the 4G path and finds it blocked does not need to give up; they pivot to the SS7 path through the same transit carrier. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
This is not a theoretical edge case. Citizen Lab observed STA1 executing exactly that pivot: Diameter probes first, SS7 fallback when Diameter rejected the query. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) The home network’s Diameter deployment was operational. The 3GPP protections were present. They failed to stop the attack because the roaming topology gave the attacker an alternate path.
The implication for carriers presenting Diameter deployments to regulators as evidence of SS7 remediation: the attestation needs to cover what the roaming partner can do, not just what the home network blocks at its own edge.
The Three Entry-and-Transit Points
019Mobile is an Israeli MVNO operating under the Telzar 019 brand. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) The carrier denied the findings after the report’s publication. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) Denial is worth noting as a data point for how regulatory follow-up is likely to proceed.
Airtel Jersey/Sure operates in the Channel Islands and is part of the Beyon Group, which is Bahrain state-controlled. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) The STA2 SIMjacker campaign routed through Jersey Airtel infrastructure in February 2025. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
Tango Networks UK is a UK subsidiary of Texas-based Tango Networks Inc. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
All three appear as recurring nodes in the surveillance traffic graph — not as one-time anomalies but as consistent access infrastructure across campaigns with different tooling and different targets.
The carrier-level view, however, is not where the full attack surface sits. Below the carrier sits the Global Title (GT) leasing layer.
GT Leasing Governance Is the Unpatched Hole
A Swedish MVNE called Telenabler AB leased GT 467647531812. That single GT generated over 1,700 privacy attacks between October 2023 and April 2025, with more than 92% of its traffic attributable to location tracking. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
GT leasing — the practice of mobile network enablers subletting Global Title addresses to third parties — is the mechanism that gives surveillance vendors a signaling identity without owning or operating a real network. It is also the mechanism that is essentially ungoverned at the international level.
The GSMA published a Code of Conduct for GT Leasing. Two years after publication, it has “no meaningful signatories.” (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) The UK implemented GT restrictions that have not been replicated in other jurisdictions. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) That leaves the interconnect graph with a self-governance structure that has produced no measurable compliance.
Telenabler AB’s GT generated its traffic over an 18-month window, across thousands of queries, before the Citizen Lab report named it. The volume argues against the possibility that this traffic was overlooked by accident.
What the FCC Asked For — and What Carriers Actually Need to Do
The FCC’s Public Safety and Homeland Security Bureau issued DA-24-308 in March 2024, requesting comment on how communications service providers were implementing security countermeasures against SS7 and Diameter vulnerabilities; comments were due April 26, 2024. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) What the proceeding produced in terms of enforceable requirements is not yet established from the brief’s sources.
What the Citizen Lab report implies for that regulatory question is fairly specific. Protocol upgrades — moving from SS7 to Diameter — are insufficient on their own when the roaming architecture preserves SS7 fallback. The two controls that would have materially affected the campaigns documented in “Bad Connection” are:
Signaling firewalls at the interconnect boundary, capable of detecting and blocking anomalous location queries regardless of which protocol layer they arrive on. A signaling firewall that only inspects Diameter while passing SS7 does not close the combined-attach path.
Inter-carrier attestation for GT identity. When a query arrives from a leased GT, the receiving carrier currently has limited ability to verify that the originating entity is who the GT implies. A credentialed attestation layer — analogous in concept to STIR/SHAKEN for caller ID, though the implementation would differ significantly — would raise the cost of using leased GTs as surveillance infrastructure.
Neither of these is a protocol upgrade. Both require coordination across carriers and across regulatory jurisdictions, which is precisely why the GSMA’s self-governance attempt has attracted no meaningful signatories.
What This Means for 5G and Future Roaming Architecture
The 5G SA (standalone) architecture uses HTTP/2-based signaling (N32 interface) and eliminates the SS7 layer for network-to-network interconnect. For networks that have completed full SA deployment, the combined-attach fallback path does not exist in the same form.
The problem is the migration timeline. NSA (non-standalone) 5G, which uses LTE as the control plane anchor, preserves the 4G/3G dual-registration model and with it the Diameter/SS7 pivot path. NSA deployments represent the current state of most 5G commercial rollouts as of early 2026. A network operator that has deployed NSA 5G and bills this as a security improvement over pure LTE is making a claim that the combined-attach analysis does not support.
For carriers receiving regulatory pressure in the wake of FCC DA-24-308 and the “Bad Connection” report, the honest answer to “what does your SS7 remediation look like” requires disclosing not just their own signaling architecture but their roaming partners’ GT leasing practices and their own signaling firewall coverage across all protocol layers. The Citizen Lab report shows that the answer confined to the home network’s own stack is an incomplete answer.
019Mobile’s denial of the findings means the named carriers will not self-correct based on the report. The governance gap at the GT leasing layer means the interconnect graph will not self-correct either. That leaves signaling firewalls deployed at carrier edges and regulatory action on GT leasing as the remaining levers — and the GSMA’s two-year-old Code of Conduct with no meaningful signatories as the benchmark for how quickly the industry moves when the lever is voluntary. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
Frequently Asked Questions
Does SIMjacker still work on phones with modern SIM cards, or is it limited to older hardware?
SIMjacker exploits the S@T Browser application, which is present on SIM cards issued by carriers that chose to include it — the vulnerability is a SIM provisioning decision, not a handset one. Modern flagship phones are irrelevant to the attack vector: the S@T Browser runs on the SIM’s own processor. Carriers that have never provisioned S@T Browser on issued SIMs are not exposed; those that have legacy SIM stock in circulation remain vulnerable regardless of the subscriber’s device generation.
How does the GT leasing problem compare to the STIR/SHAKEN rollout the FCC mandated for voice caller ID?
STIR/SHAKEN required FCC mandate and multi-year carrier deadlines before achieving meaningful adoption — voluntary industry commitments produced negligible uptake beforehand. The GSMA GT leasing Code of Conduct mirrors the pre-mandate state: published, technically sound, and two years in with no meaningful signatories. The structural difference is jurisdictional: STIR/SHAKEN applied to US carriers under FCC authority, while GT addresses are allocated internationally, meaning no single regulator can impose a compliance deadline on the full leasing ecosystem the way the FCC could for US VoIP attestation.
What would a carrier need to budget or change operationally to deploy a signaling firewall that covers both SS7 and Diameter simultaneously?
A dual-protocol signaling firewall requires a dedicated SS7/Diameter security gateway (typically a separate hardware or virtualized appliance from vendors such as Mobileum, Cellusys, or P1 Security) with real-time rule sets updated for known surveillance GT ranges — a subscription cost on top of the appliance. The operational burden is maintaining correlated alerting across both protocol layers, because an anomalous Diameter probe followed immediately by an SS7 location query from the same originating GT is the combined-attach pivot pattern; a single-protocol firewall that does not correlate across layers will not flag it. Carriers on NSA 5G architectures must also ensure the firewall sits at the S6a/MAP boundary, not just the Diameter edge.
Which jurisdictions outside the UK have taken any binding action on GT leasing, and what happened in those cases?
As of the Citizen Lab report’s April 2026 publication date, the UK’s GT restrictions remain the only known binding national-level action on GT leasing. No other jurisdiction in the research brief is documented as having enacted equivalent rules, and the brief explicitly states the UK restrictions ‘have not been emulated elsewhere.’ The GSMA Code of Conduct remains the only multilateral instrument and carries no enforcement mechanism, which is why the Telenabler AB GT was able to generate over 1,700 attack queries across an 18-month window without triggering a compliance response.
At what point in the 5G transition does the combined-attach fallback risk actually disappear for a given carrier?
The risk disappears only when a carrier completes full 5G Standalone (SA) deployment and retires NSA operation entirely — SA uses the N32 HTTP/2 interface for network-to-network interconnect, which has no SS7 layer to fall back to. The intermediate states (NSA 5G anchored to LTE, or any network still running a 3G UMTS layer for coverage) all preserve combined attach and with it the Diameter/SS7 pivot path. A carrier that has deployed SA cores but maintains NSA for rural coverage or roaming interoperability is still exposed on those connections, so the transition is not binary at the network level even after SA is commercially launched.