What they're not telling you: The first StrictlyVC of 2026 hits SF on April 30. Tickets are going fast. The first StrictlyVC of 2026 hits SF on April 30.

Marcus Webb
The Take
Marcus Webb · Surveillance & Tech Privacy

# THE TAKE: Citizen Lab's "Sophisticated" Telecom Ops Miss the Institutional Machinery Citizen Lab's attribution methodology—DNS logs, certificate analysis, ISP routing—catches the visible infrastructure. Competent work. But their framing obscures what matters: these aren't aberrations. They're standard operational procedure. The campaigns flagged as "sophisticated" employ techniques NSA's QUANTUMHAND suite weaponized a decade ago. The real story isn't two bad actors. It's that telecom intercept architecture remains deliberately porous by design—backdoors baked into SS7 protocols that no vendor seriously patches because law enforcement pays better than security. Citizen Lab documents tactics. They don't document *permission structures*—the Five Eyes gentlemen's agreements, the secret CALEA compliance architectures, the carrier billing systems that subsidize foreign intelligence collection. Attribution theater satisfies donors. Infrastructure transparency? That stays classified.

What the Documents Show

Tickets are going fast. Image Credits: Bryce Durbin / TechCrunch Security Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say Lorenzo Franceschi-Bicchierai 5:01 AM PDT · April 23, 2026 Security researchers have uncovered two separate spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people’s locations. The researchers say these two campaigns are likely a small snapshot of what they believe to be widespread exploitation of surveillance vendors seeking access to global phone networks. On Thursday, the Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing the two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate cellular providers and would piggyback their access to those networks to look up the location data of their targets.

🔎 Mainstream angle: The corporate press either ignored this story entirely or buried it in a 3-sentence brief. The framing, when it appeared at all, focused on process rather than impact.

Follow the Money

The new findings reveal continued exploitation of known flaws in the technologies that underpin the global phone networks. One of them is the insecurity of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that for years has been the backbone of how cellular networks connect to each other and route subscribers’ calls and text messages around the world. Researchers and experts have long warned that governments and surveillance tech makers can exploit vulnerabilities in SS7 to geolocate individuals’ cell phones, as SS7 does not require authentication nor encryption, leaving the door open for rogue operators to abuse it. The newer protocol, Diameter, designed for newer 4G and 5G communications, is supposed to replace SS7 and includes the security features that were lacking in its predecessor. But as the Citizen Lab highlights in this report, there are still ways to exploit Diameter, as cell providers do not always implement the new protections. In some cases, attackers can still fall back to exploiting the older SS7 protocol.

What Else We Know

The two spy campaigns have at least one thing in common: Both abused access to three specific telecom providers that repeatedly acted “as the surveillance entry and transit points within the telecommunications ecosystem.” This access gave the surveillance vendors and their government customers behind the campaigns the ability to “hide behind their infrastructure,” as the researchers explained. According to the report, the first one is Israeli operator 019Mobile, which researchers said was used in several surveillance attempts. British provider Tango Networks U.K. was also used for surveillance activity over several years, the researchers say. Techcrunch event Meet your next investor or portfolio startup at Disrupt Your next round. Your next breakout opportunity.

Primary Sources

What are they not saying? Who benefits from this story staying buried? Follow the regulatory filings, the court dockets, and the FOIA releases. The truth is in the paperwork — it always is.

Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.