- Citizen Lab found two surveillance actors exploiting global telecommunications flaws
- Attackers use covert SMS and signaling systems to track targets’ locations
- Since attackers bypass the Internet entirely, a VPN cannot protect you
Security researchers have just revealed details of two covert surveillance campaigns that exploit weaknesses in the global telecommunications infrastructure.
In a report published Thursday, Citizen Lab explains that attackers abuse the signaling systems mobile operators use to support roaming, route messages and locate devices on the network. The vulnerabilities were used to track specific subscribers or to send invisible SMS messages that retrieved the target’s location.
The findings point to a wider problem in the global mobile ecosystem where connections between operators can be abused. Crucially, users cannot do much to protect themselves against these attacks; even those who use best VPN services are actually vulnerable to this type of monitoring.
The article continues below
What Citizen Lab’s report found
Citizen Lab’s report focuses on two separate sophisticated surveillance actors who targeted the infrastructure mobile networks use to communicate with each other.
These systems are what let your phone connect while roaming, but also do simple things like receive texts and stay reachable when you move between cell towers.
Crucially, the findings “link, for the first time, combined 3G and 4G network attacks directly to the mobile operator’s infrastructure,” researchers explain.
🚨New research reveals how two sophisticated surveillance actors exploited the global telecom ecosystem and for the first time links combined 3G and 4G network attacks directly to mobile operator infrastructure. Full report 👇 pic.twitter.com/nL8Bvn44in23 April 2026
Citizen Lab claims that attackers misused these trusted connections to attempt to geolocate specific mobile users.
The first campaign used older 3G and newer 4G signal systems known as SS7 and Diameter. Citizen Lab says the attackers used these systems to locate a high-profile target described by their operator as a “VVIP”.
The second campaign used a different method: instead of sending a normal text that the user would see, attackers sent hidden, completely invisible SMS messages that were only visible to the SIM card inside the phone. That message was trying to get the SIM to collect location information and send it back. The target wouldn’t even know it was happening; it was all behind the scenes.
Perhaps worst of all, performing these attacks doesn’t require you to accidentally download malware or fall for a scam. Attackers can simply compromise the cellular network around your phone or quietly hijack the SIM card directly.
Why a VPN can’t help
People interested in being anonymous online often try one of those most private VPNs to keep their activity secure. But even a top-notch VPN client cannot protect you from this attack.
A VPN is designed to protect your internet traffic. It can mask your IP address, encrypt the data leaving your device, or make it look like you’re browsing from a different location. These features make VPNs indispensable for privacy, security, and even avoiding censorship in certain countries.
But the attacks described by Citizen Lab don’t seem to rely on your IP address at all. The attackers are not concerned about where your browser says you are.
This is the crucial difference: your VPN sits on top of your internet connection, but the SIM card and your mobile network connection work on another layer. Your phone still connects to local cell towers even when the internet is turned off.
How to stay safe
For most people, this is not a cause for panic. These campaigns are said to target high-profile individuals, and so far there does not appear to be a campaign targeting the general public.
The bigger problem is that there isn’t much you can do to defend yourself against these attacks should they come your way. A telecom-level actor targeting your SIM card or abusing cellular signal systems is not something you can completely prevent.
Although standard cybersecurity habits, like keeping your device updated and using a VPN, are essential to your daily Internet privacy, defending against this specific type of telecommunications tracking requires extreme measures. For high-risk individuals, the only true mitigation is to rely solely on Wi-Fi and disable cellular connections entirely.
