- Citizen Lab found two surveillance actors exploiting global telecommunications flaws
- Attackers use hidden SMS and beacon systems to track the location of targets
- Since attackers completely avoid the Internet, a VPN can’t protect you
Security researchers have just revealed details of two covert surveillance campaigns that exploit weaknesses in the global telecommunications infrastructure.
In a report published Thursday, Citizen Lab explains that attackers abuse the signaling systems that mobile operators use to support roaming, route messages and locate devices on the network. The weaknesses were used to track certain subscribers or to send invisible SMS messages that retrieved the target’s location.
The findings point to a broader problem in the global mobile ecosystem, where connections between operators can be abused. Fundamentally, there is little that users can do on their part to protect themselves from these attacks; even those who use the best vpn in fact, they are vulnerable to this type of surveillance.
Article continues below.
What the Citizen Lab report found
Citizen Lab’s report focuses on two separate sophisticated surveillance actors who targeted the infrastructure that mobile networks use to communicate with each other.
These systems are what allow your phone to connect while roaming, but also do simple things like receive text messages and stay accessible when moving between cell towers.
Crucially, the findings “for the first time directly link combined attacks on 3G and 4G networks to mobile operator infrastructure,” the researchers explain.
🚨New research reveals how two sophisticated surveillance actors exploited the global telecommunications ecosystem and, for the first time, directly links combined attacks on 3G and 4G networks to mobile operators’ infrastructure. Full report 👇 pic.twitter.com/nL8Bvn44inApril 23, 2026
Citizen Lab claims that attackers abused these trusted connections to attempt to geolocate certain mobile users.
The first campaign used older 3G and newer 4G signaling systems known as SS7 and Diameter. Citizen Lab says the attackers used these systems to locate a high-profile target described by their operator as “VVIP.”
The second campaign used a different method: instead of sending a normal text that the user would see, the attackers sent hidden and completely invisible SMS messages that were only visible to the SIM card inside the phone. That message attempted to cause the SIM to collect location information and send it back. The target wouldn’t even know what happened; it was completely behind the scenes.
The worst thing perhaps is that to carry out these attacks it is not necessary to accidentally download malware or fall for a scam. Attackers can simply compromise the mobile network around your phone or silently hijack the SIM card directly.
Why a VPN can’t help
People who care about remaining anonymous online often try one of the most private VPNs to keep your activity safe. But not even a top-tier VPN client can protect you from this attack.
A VPN is designed to protect your Internet traffic. It can mask your IP address, encrypt data leaving your device, or make it appear that you are browsing from a different location. These features make VPNs indispensable for privacy, security, and even avoiding censorship in certain countries.
But the attacks described by Citizen Lab don’t seem to depend on your IP address at all. Attackers don’t care where your browser says it is located.
This is the crucial difference: your VPN sits on top of your internet connection, but the SIM and your mobile network connection operate on a different layer. Your phone still connects to local cell towers even with the Internet disabled.
How to stay safe
For most people, this is no cause for panic. These campaigns are said to be aimed at high-profile individuals and, so far, there does not appear to be any campaigns targeting the general public.
The biggest problem is that there is not much you can do to defend yourself against these attacks, should they occur. Having a telecom actor target your SIM card or abuse mobile signaling systems is not something you can completely avoid.
So while standard cybersecurity habits, like keeping your device up to date and using a VPN, are essential for your daily privacy on the Internet, defending against this specific type of telecommunications tracking requires extreme measures. For high-risk individuals, the only true mitigation is to rely solely on Wi-Fi and disable mobile connections entirely.
