How old phone networks became tools for modern surveillance

Authors & Investigators: Denice V. & Anni Lindén

The rapid expansion of the digital landscape since the early 2000s has brought growing threats to our freedom and privacy online. As users, we have the right to understand what personal data we unknowingly surrender in exchange for access to modern technologies and their services. In this report, we will see how legacy infrastructure is still being used until today that exploits and takes advantage of users' privacy in the form of surveillance.

The controversy

In 2024, a dataset was discovered in the deep web containing 1.5 million records of tracked mobile numbers of politicians, journalists, activists, business leaders, and celebrities. The tracking was conducted by using a spyware called Altamides, short for “Advanced Location Tracking and Mobile Information and Deception System,” developed by the Indonesia-based surveillance company First Wap. In short, Altamides can track phone numbers all over the world without a trace because it does not “infect” the device; therefore leaving no trace of pinpointing a person’s location or intercepting their calls or messages.

This news is concerning, not only because spyware like this is being implemented without the targets' knowledge or consent, but more importantly, because it violates freedom and privacy, as illustrated by several countries banning and suing the Israeli spyware company Pegasus. Will First Wap be next? 

Exploiting the vulnerabilities of the SS7 network

First Wap has been operating for two decades flying under the radar thanks to the covert nature of  Altamides. Instead of “infecting” the device like Pegasus does, First Wap’s Altamides was used to target and exploit the vulnerability of an old mobile protocol called SS7.

Mobile carriers rely on SS7 to interconnect their networks (both 2G and 3G), enabling different services such as routing of phone calls, call forwardings, and text messages, as well as the user’s billing information. 

While SS7 was helpful when it was created in the 1980’ in ITU-T Q.700 series, and still is today with how we contact each other (locally and internationally), there was no concern with the security around it. SS7 lacks built-in authentication, and does not properly check whether messages coming from other networks are legitimate, and consequently, runs on trust between mobile companies and network carriers.

If a malicious actor gains access to the SS7 network, they can send fake but valid-looking messages that the system will accept, because it does not check whether the requests made are from a legitimate operator or not. This vulnerability enables an attacker to carry out the interception of messages. This lays the groundwork for surveillance and attacks, allowing potential malicious actors to intercept text messages, track a phone’s location, steal identities, redirect calls, or disrupt the mobile service. 

For example, in 2020, the Israeli private spy company Rayzone Group allegedly leased Sure Guernsey network’s access points to track the phone of Princess Latifa of Dubai. Private companies like First Wap, Rayzone Group, and Pegasus are able to misuse and abuse signalling messages without their target’s knowledge through telecom networks’ ability to lease global titles, which use a unique identifier in the SS7 network to route messages across the global telephone network. 

In a similar fashion, First Wap exploited the vulnerability in the SS7 network.

The expose

In 2025, a Lighthouse reporter, “Albert”, went undercover and attended the ISS World Training, an exclusive, industry-only mobile and surveillance conference set in Prague, informally known as “Wiretapper’s Ball.”

Although claiming to deliver solutions to law enforcement and anti-corruption agencies, as stated on their website, it appears that First Wap may be involved in deals where their surveillance technology product is used by clients that circumvent the EU sanctions regime. At the Prague conference, First Wap’s Sales Director Guenther Rudolph told “Albert” that clients can route their deals via Indonesia – where First Wap's headquarters are – as opposed to the EU, where the sanctions regime would apply against individuals who may seek to do business with First Wap. This implies that First Wap continues selling their products to sanctioned individuals by routing the deal via another region, although the client may be operating de facto from Europe.

Altamides: correlation with First Wap

Altamides, known for its ability to leave no trace when spying on the target’s device, is First Wap’s flagship product. However, they do not mention Altamides on their website despite it being an integral part of their spyware infrastructure.

In 2019, they attended an event in Dubai called the International Conference of Crime Prevention, boasting about building and upgrading the Altamides platform, and it being used in several continents across the world by several government law enforcement and security services, since 2006, as described below:

What is more, comparing the 2007 Elaman document on First Wap, and a 2013 Gamma Group document on Altamides, we recognised similarities in the technical requirements to track a device. It raises questions as to why First Wap would not advertise its star product on its website.

Connections and resellers

First Wap’s resellers and connections are not just in Indonesia but extend across the globe, including Nigeria, Rwanda, Ethiopia, Saudi Arabia, Malaysia, Belarus, Singapore, the UK, and the UAE. 

Companies included Gamma Group, Elaman, and ThorpeGlen, based in the UK and Germany. Gamma Group and First Wap have presented together to showcase their products at private events and the previously mentioned “Wiretrapper’s Ball.” Upon checking a leaked document obtained by Privacy International, Gamma Group seemed to be selling the same Altamides platform. 

As of today, ThorpeGlen and Gamma Group no longer exist, and Elaman has denied having “sold, offered, or implemented Altamides,” despite another leaked document online suggesting otherwise. According to Mother Jones, the executives and staff members from these companies used the Altamides technology to locate themselves and their colleagues in, for example, Equatorial Guinea, Turkmenistan, Yemen, Oman, and Jordan.

Moreover, First Wap resellers may have also expanded their operations to different locations, including Washington DC, Abu Dhabi, Rome, Madrid, Malabo, Islamabad, and more.

How does the spyware at First Wap operate?

A. Minimum amount of data needed to track

According to a document from ELAMAN GSM LRTP, to track a person’s location, First Wap needs a minimum set of data as part of their Location Reporting and Tracking Platform (LRTP). The purpose of the platform is to provide their clients “with a facility to locate and show the vicinity location of a “GSM device.” 

This means that for First Wap to track someone, they need the device location area code (LAC) and the unique number to identify a cell tower that one’s device connects to (CELL ID). The CELL ID can then be translated into a textual location (latitude and longitude data). In practice, this means tracking the closest cell towers that connect to the user’s device, therefore resulting in the approximate location of the individual.

These are the data FirstWap uses to process, improve, and implement in LRTP.

B. Mobile and target information

Now that First Wap has the minimum set of data needed to track an individual, a web-based application called “FASTTRAX” is used to search for the device’s location. The target’s phone number is input on FASTTRAX to locate the device.

Once entered into the tool, the result will display the target’s cellular location. Authorised users of FASTTRAX will be able to see the map and aerial view of the user being tracked, along with whether the user is using the device, showing the phone status as idle, in use, or absent.

Aside from mapping and mobile information, FASTTRAX also displays the mobile users’ information, including the user’s home country operator and roaming country operator. In the example below, the target’s home country operator is shown as  “Indonesia / Indosat-IDNIM”, and the roaming country operator as  “Indonesia / Indosat-IDNSL”.The 5-letter code, for example, “Indosat-IDNIM”, is called a TADIG code (Transferred Account Data Interchange Group). Obtaining access to one’s TADIG code can help attackers to identify which telecom operator's node to target, and subsequently, to exploit the SS7 links. However, these codes are not impossible to obtain, as they are available, for example, in each user’s billing records. 

 Below is a screenshot of an example target located using FASTTRAX:

For First Wap to fully operate in a country, they must obtain an authorisation from the client (mostly governments) that permits Altamides to use the SS7 links belonging to local mobile or phone operators. This means that, as Altamides only works with prior client consent to access the SS7 links, and as their client base consists largely of governments and law enforcement agencies, it is those holding the highest office in our countries who enable these violations of privacy to take place.

First Wap moves without a trace, in collaboration with state agencies, giving a huge opportunity for attackers and harassers to attack their targets by breaching digital privacy, online harassment, mobile surveillance, and location tracking.

Conclusion

As of today, First Wap continues to fly under the radar given that it is not as known as its notorious Israeli cousins, Pegasus or the Rayzone Group. However, the evidence reveals that they monetise surveillance technology, violating the individual’s right to privacy, and dance around international regulations through activities that suggest circumventing the international sanctions regime.

The capabilities and vulnerabilities of SS7 show us that legacy infrastructure, when left unsecured, can be used against individuals, including you, your friends, colleagues, and your family. Maintaining the highest level of privacy and security is essential, otherwise it can be leveraged for mass surveillance, targeted attacks, and serious violations of personal freedom, privacy, and democracy. 

With no options other than to continue the use of SS7, this highlights a call for telecommunication companies and networks to properly set a better way to detect and prevent such attacks.

As of today, one of the best ways to avoid snooping via text messages is by using secure text-messaging apps like Signal that offer end-to-end encryption. WhatsApp offers this too but the security community is conflicted because Meta, the parent company of WhatsApp, is known to have surrendered millions of users’ information to the US authorities, and is reportedly being investigated for reading the encrypted messages on WhatsApp; however, Meta has denied the claims.