Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 

Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.

“The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.

“We remain determined to capture Stryzhak’s codefendant and partner in crime, Volodymyr Tymoshchuk, and bring him to justice in a U.S. courtroom,” Nocella added. Officials accuse Tymoshchuk of acting as an administrator of the Nefilim ransomware group and described him as a serial cybercriminal associated with multiple ransomware strains.

Attacks involving Nefilim ransomware caused millions of dollars in losses from extortion payments and damage to victim networks, officials said. Stryzhak and his co-conspirators allegedly customized executable ransomware files for each victim, creating unique decryption keys and unique ransom notes. 

The ransomware group primarily targeted companies located in the United States, Canada and Australia with more than $100 million in annual revenue, and extorted victims by threatening to publish stolen data. The crew researched companies after they broke into their networks to determine their net worth, size and contact information.

Stryzhak’s victims in the U.S. include an engineering consulting company based in France, an aviation industry company in New York, a chemical company in Ohio, an insurance company in Illinois, a company in the construction industry in Texas, a pet care company in Missouri, an international eyewear company and a company in the oil and gas transportation industry. 

Stryzhak and his co-conspirators also used Nefilim ransomware to encrypt victim networks in Germany, the Netherlands, Norway and Switzerland, prosecutors said. 

Officials said Stryzhak’s crimes began when he gained access to the Nefilim ransomware code in June 2021 in exchange for 20% of his ransom proceeds.

“Cybercriminals may hide behind screens, but they leave digital footprints everywhere,” Christopher Johnson, special agent in charge of the FBI’s field office in Springfield, Illinois, said in a statement. 

“The FBI follows these digital trails relentlessly — across networks, borders, and time — until those responsible are held accountable,” Johnson added. “Today is a remarkable accomplishment, but we will not stop until we have captured all those responsible for the Nefilim ransomware.”

The post Ukrainian national pleads guilty to Nefilim ransomware attacks appeared first on CyberScoop.

European authorities shut down and seized the assets of Cryptomixer, a cryptocurrency mixing service that allegedly facilitated more than $1.5 billion in money laundering for cybercriminals and other illegal activity, Europol said Monday. 

The weeklong operation, part of “Operation Olympia,” netted the seizure of nearly $28 million in Bitcoin, three servers in Switzerland, the cryptomixer.io domain and more than 12 terabytes of data, officials said. The site currently displays a seizure notice, warning that anyone using or operating cybercriminal services is subject to investigation and prosecution. 

The takedown is part of a broader global law enforcement effort to disrupt, confiscate and obtain additional information on the various services cybercriminals rely upon and the individuals leading these operations. 

Cryptomixer, which was accessible on the clear and dark web, mixed more than $1.5 billion in Bitcoin through its infrastructure since its founding in 2016, according to Europol. Officials described the mixing service as “the platform of choice” for cybercriminals and various crimes, including ransomware, payment card fraud, and drugs and weapons trafficking. 

“Deposited funds from various users were pooled for a long and randomised period before being redistributed to destination addresses, again at random times,” Europol said. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges.”

North Korean-linked Lazarus Group used Cryptomixer and similar services before it shifted to high-volume attacks, according to TRM Labs. Lazarus Group stole $1.46 billion in Ethereum from Bybit in February and laundered $160 million within two days of the attack. 

“North Korea now appears to prioritize speed and automation over traditional anonymity,” researchers said in the wake of the largest cryptocurrency theft on record.

Officials also referenced the 2023 takedown of ChipMixer, the largest mixing service at that time, as an example of law enforcement agencies’ sustained effort to target cryptocurrency mixing services. ChipMixer was allegedly responsible for more than $3 billion in transactions since it began operations in 2017.

The Cryptomixer shutdown drew support from Europol, Eurojust and multiple law enforcement agencies from Germany and Switzerland.

The post Authorities take down Cryptomixer, seize $28M in Switzerland appeared first on CyberScoop.