Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

Researchers have found forensic evidence suggesting that Kenyan authorities used Cellebrite’s phone-cracking technology on the device of a prominent human rights activist after arresting him, according to a report published Tuesday.

The University of Toronto’s Citizen Lab said the intrusion is a sign of growing abuse of Cellebrite’s technology. According to the report, after his widely criticized  arrest in July amid mass protest, Boniface Mwangi noticed that his personal phone no longer required a password to access. The government initially suggested it might pursue  terrorism charges, but  later backed away from that and instead filed lesser offenses.

After the incident, Mwangi gave his phone to Citizen Lab for forensic analysis. The group said it found evidence of Cellebrite’s use, potentially to extract data from his device.

Mwangi told CyberScoop he felt a “very strong feeling of violation” after that, as his phone contained family photos, conversations with loved ones and even his plans for running for president, a bid he announced in August.

“I’ve been shot, I’ve been jailed, I’ve been tortured, I’ve been assaulted in many, many ways,” he continued. “So this is more emotional than physical, because I feel like someone was in your private thoughts — the things that you think, that you think should never be public.”

Citizen Lab said the incident showed that Cellebrite’s claims of safeguards against abuse via an ethics committee aren’t sufficient.

“Boniface Mwangi’s case wasn’t the first Cellebrite abuse case, and it won’t be the last, because Cellebrite has a global abuse problem,” John Scott-Railton, senior researcher at the organization, told CyberScoop. “When Cellebrite sells their technology to a security service with a track record of abuses, journalists, activists, and people speaking their conscience are at risk. It’s time for Cellebrite to take action and prove that their ethics committee isn’t a Potemkin village and their vetting procedures aren’t just empty platitudes.”

The U.S. government, including the Immigration and Customs Enforcement agency, also uses Cellebrite’s products and services.

Citizen Lab sent Cellebrite a list of questions, but the company did not respond to them. Cellebrite did, however,  defend its approach in a response to CyberScoop.

“Cellebrite maintains a rigorous process for reviewing allegations of technology misuse,” said Victor Cooper, a company spokesperson. “When credible, substantiated evidence is presented directly to our team, we investigate thoroughly and take decisive action, up to and including license termination.

“We do not respond to speculation and encourage any organization with specific, evidence-based concerns to share them with us directly so we can act on them,” he continued.

“Cellebrite operates under stringent compliance and ethics frameworks. We stand behind our vetting processes, our Ethics & Integrity Committee and our record of enforcement.”

Neither a spokesperson for the Kenyan government nor the Kenyan embassy in Washington, D.C. answered requests for comment Monday.

The post Citizen Lab links Cellebrite to the hacking of a Kenyan presidential candidate’s phone appeared first on CyberScoop.

Jordanian authorities used Cellebrite phone-cracking technology to access the devices of domestic activists and human rights defenders and then extract information from them, according to an investigation published Thursday.

The nonconsensual access stood in conflict with international human rights treaties that Jordan ratified, the University of Toronto’s Citizen Lab investigation determined, prompting the research organization to call on Cellebrite to open a probe into clients in Jordan.

Citizen Lab, which released its investigation in coordination with the Organized Crime and Corruption Reporting Project (OCCRP), analyzed the phones of four activists after Jordanian authorities seized and returned them, then concluded with “high confidence” that the  devices had been subjected to Cellebrite’s forensic extraction products. Court documents from criminal proceedings under Jordan’s 2023 Cybercrime Law supplied additional evidence.

The cases Citizen Lab evaluated transpired between late 2023 and mid-2025, during a time of protests in support of Palestinians. They involved a political activist, student organizer, activist/researcher and human rights defender, three of whom had iPhones and the other of whom had an Android device.

The Citizen Lab probe adds to a body of reporting about alleged Cellebrite abuses. Last year, Amnesty International reported that Serbian authorities had used Cellebrite in conjunction with spyware to eavesdrop on activists and journalists, the latter category of whom have reportedly had their phones accessed in a number of countries via Cellebrite tech.

Citizen Lab further concluded that products by the Israel-based Cellebrite are widely used against civil society in Jordan, with forensic data showing its use dating back to at least 2020.

“Surveillance is not limited to spyware,” said the lead author of the report, Kamel Al-Shawareb, a pseudonymous research fellow at Citizen Lab. “Authoritarian states access smartphone data remotely with spyware like Pegasus or by physically seizing a device and using Cellebrite to access the contents.”

Activists whose phones Citizen Lab examined said it shook their confidence and had them resorting to self-censorship.

“I felt wronged and violated, like they stole something from me, and not because they’re strong, but because we’re legally weak,” one of the people told the OCCRP on condition of anonymity. 

Victor Cooper, a spokesperson for Cellebrite, said that the company can’t disclose specific information on its customers. But he said it prohibits transactions with any entities on the sanctions list of the United States and other nations and organizations. 

“Beyond these baselines, the company vets potential customers against internal human rights parameters, leading us to historically cease business in jurisdictions where risks were deemed incompatible with our corporate values,” he said in an email to CyberScoop. “We license technology solely for lawful purposes, requiring customers to explicitly certify they possess valid legal authority prior to usage.”

He said that Cellebrite tech, unlike spyware, can’t intercept communications or monitor devices in real time, but rather can access private data under legal processes to aid investigations after something has occurred.

“We take seriously all allegations of potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement,” Cooper said. “ Once solid information is shared with Cellebrite, we review the allegations and take proactive precise steps to investigate each claim in accordance with our ethics and integrity policies. When appropriate we stop the use of our products by the relevant customers. ”

Citizen Lab said Cellebrite’s responses to its questions as part of the investigation were “vague and unsubstantiated.”

Jordan’s Ministry of Government Affairs and its embassy in the United States did not respond to requests for comment.

The post Researchers find Jordan government used Cellebrite phone-cracking tech against activists appeared first on CyberScoop.

The Trump administration this week removed three Iranians from its sanctions list who were previously accused of working for Intellexa, the consortium behind the Predator spyware that recent investigations say has circumvented human rights safeguards.

The Biden administration imposed sanctions against the trio in 2024 as part of a broader move to sanction spyware operators. The Treasury Department noted the deletions this week as part of other sanctions moves.

Under the prior sanctions designations, the Biden administration said that Merom Harpaz was manager of Intellexa S.A., a member of the consortium; that Andrea Nicola Constantino Hermes Gambazzi was functionally the owner of Thalestris Limited and Intellexa Limited, two other consortium members; and that Sara Aleksandra Fayssal Hamou was a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium.

While the Tuesday notice about the sanctions removal provided no explanation, “this removal was done as part of the normal administrative process in response to a petition request for reconsideration,” a U.S. official told CyberScoop.

“Each individual has demonstrated measures to separate themselves from the Intellexa Consortium and it has been determined that the circumstances resulting in the sanction no longer apply,” the official said. “The power of sanctions derive not only from the ability to designate individuals, but also from our willingness to remove sanctions consistent with the law.”

Only last month, an investigation concluded that despite sanctions against those three individuals and others, Intellexa had retained the capacity to remotely access the systems of Predator customers, raising human rights questions. Other reports from last month found evidence of expanded Predator targeting and exploitation of malicious mobile advertisements to infect targets.

Researchers and advocates who work on spyware issues found the sanctions removals concerning.

“The public deserves to know what evidence exists to prove that these individuals have ceased their involvement with Intellexa,” Natalia Krapiva, senior tech-legal counsel at Access Now, wrote on Bluesky.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said on X that he found the removals “puzzling,” adding that “Some in the mercenary spyware ecosystem are probably reading today’s Intellexa exec [delisting] as: ‘scoff at US, help hack Americans & you can still skirt consequences with the right lobbying.’”

The post Treasury removes Intellexa spyware-linked trio from sanctions list appeared first on CyberScoop.