- Citizen Lab uncovered two surveillance actors exploiting global telecommunications vulnerabilities
- Attackers use hidden SMS and signaling systems to track target locations
- As attackers completely bypass the Internet, a VPN cannot protect you
Security researchers have revealed details of two covert surveillance campaigns that exploited weaknesses in the world’s telecommunications infrastructure.
In a report released Thursday, Citizen Lab explains that attackers are abusing signaling systems used by mobile operators to support roaming, route messages and locate devices on the network. Weaknesses were used to track certain subscribers or to send invisible SMS messages allowing the target’s location to be retrieved.
The findings highlight a broader problem in the global mobile ecosystem, where connections between operators can be misused. Importantly, there is little users can do on their own to protect themselves against these attacks; even those who use the best VPN Services are indeed vulnerable to this type of surveillance.
Article continues below
What the Citizen Lab report found
Citizen Lab’s report focuses on two separate sophisticated surveillance actors that targeted the infrastructure used by mobile networks to communicate with each other.
These systems allow your phone to not only connect while roaming, but also do simple things like receive text messages and stay reachable as you move between cell towers.
Above all, the results “directly link, for the first time, combined attacks on 3G and 4G networks to the infrastructure of mobile operators,” the researchers explain.
🚨New study reveals how two sophisticated surveillance actors exploited the global telecommunications ecosystem and, for the first time, directly link combined attacks on 3G and 4G networks to mobile operator infrastructure. Full report 👇 pic.twitter.com/nL8Bvn44inApril 23, 2026
Citizen Lab claims that attackers abused these trusted connections to attempt to geolocate certain mobile users.
The first campaign used older 3G and newer 4G signaling systems, known as SS7 and Diameter. Citizen Lab claims the attackers used these systems to locate a high-profile target described by their operator as a “VVIP.”
The second campaign used a different method: instead of sending a normal text that the user would see, the attackers sent hidden and completely invisible SMS messages, visible only to the SIM card inside the phone. This message attempted to make the SIM card collect location information and send it back. The target wouldn’t even know it happened; it was entirely behind the scenes.
Perhaps the worst part is that to carry out these attacks, you don’t need to accidentally download malware or fall for a scam. Attackers can simply compromise the mobile network around your phone or discreetly hijack the SIM card directly.
Why a VPN can’t help
People concerned about remaining anonymous online often try one of the most private VPNs in order to secure their activity. But even a top-notch VPN client cannot protect you against this attack.
A VPN is designed to protect your internet traffic. It can hide your IP address, encrypt data that leaves your device, or make it appear as if you are browsing from a different location. These features make VPNs essential for ensuring privacy, security, and even avoiding censorship in some countries.
But the attacks described by Citizen Lab don’t appear to rely on your IP address at all. Attackers don’t care where your browser says you are.
This is the crucial difference: your VPN sits on top of your Internet connection, but the SIM card and your mobile network connection operate on a different layer. Your phone still connects to local cell towers even if the Internet is turned off.
How to stay safe
For most people, this is no reason to panic. These campaigns are said to be aimed at high-profile figures and, so far, there does not appear to be any campaign targeting the general public.
The biggest problem is that there is little you can do to defend against these attacks, if they come your way. A telecom industry actor targeting your SIM card or abusing mobile signaling systems is not something you can completely prevent.
Therefore, while standard cybersecurity habits like updating your device and using a VPN are essential for your daily internet privacy, defending against this specific type of telecom tracking requires extreme measures. For those at high risk, the only real mitigation is to rely solely on Wi-Fi and turn off cellular connections completely.
