They Don't Need Your Phone: Tracking Targets Through the Telecom Network Itself

On 23 April 2026, the University of Toronto’s Citizen Lab published a report titled Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors, by researchers Gary Miller and Swantje Lange. It documents something that should reframe how you think about “secure” communication: surveillance operators tracking the physical location of specific people, across borders, for years — without ever touching the targets’ phones, apps, or accounts.

No malware. No phishing link. No compromised messenger. The targets did nothing wrong and saw nothing happen. The attack lived in the telephone network itself, in a layer beneath everything an app can control.

This is the threat that end-to-end encryption does not address, and it is worth understanding in detail, because understanding exactly where it operates is the only way to reason honestly about what any messenger — including RVNT — can and cannot do about it.

The network under the network

When you send a message, you think in terms of apps and the internet. But your phone is also a node on a second, older, mostly invisible network: the global telecom signaling system that carriers use to find you, route your calls, and let you roam onto a tower in another country and still receive a text.

That system runs on two main protocols:

• SS7 (Signaling System 7), the legacy signaling layer behind 2G and 3G. It was designed in the era of a few trusted state-owned telephone monopolies. It has, essentially, no authentication, no integrity checking, and no encryption. A query that arrives looking like it came from a legitimate carrier is treated as if it did.
• Diameter, the successor used for 4G/LTE. On paper it is stronger. In practice, Citizen Lab found that operators frequently failed to deploy its protections, defaulting back to a peer-to-peer trust model where networks assume each other’s queries are legitimate.

The original sin of both is the same: they assume the participants are a small club of trustworthy carriers. In a world of hundreds of operators, virtual operators, and leased access, that assumption is false — and an attacker who can get inside the signaling ecosystem can ask it questions it will faithfully answer.

The most damaging question is the simplest: which cell tower is this subscriber attached to right now? The network knows, because it has to know to deliver a call. Ask it the right way and it tells you. That answer is a location.

Two actors, two techniques

Citizen Lab attributes the activity to two distinct clusters it labels STA1 and STA2.

STA1 — signaling manipulation across generations

STA1 is the patient, sophisticated one. The report documents more than 500 location-tracking attempts attributed to this actor, with activity stretching from at least November 2022 through early 2025. Its distinguishing move was combining 3G SS7 and 4G Diameter queries — using them together to downgrade or bypass Diameter firewalls that an operator might have deployed, and even pairing network signaling with direct device interrogation over SMS.

One case in the report makes the capability concrete. A high-value target — described as a “VVIP” company executive in the Middle East — was subjected to a coordinated four-hour location-tracking campaign on 25 November 2024, using eleven different operator identities across nine countries. That is not a teenager with a tool. That is an operation with access to the interconnect fabric and the patience to orchestrate it.

STA2 — turning the SIM into a beacon with SIMjacker

STA2 used a different and even more unsettling technique: SIMjacker. This is a class of attack that targets the small application environment that lives on the SIM card itself — the SIM Toolkit, and specifically a legacy component called the S@T browser present on many SIMs.

The attack is delivered as a binary SMS — a text message that is not meant to be read by a human and never appears on your screen. Citizen Lab describes the specific markers: a TP-PID value of 127 (which directs the message to the SIM rather than the display) and a TP-DCS value of 22 (binary encoding), carrying S@T bytecode commands.

[ attacker ] --binary SMS (invisible)--> [ your SIM ]
                  TP-PID = 127  → goes to the SIM, not the screen
                  TP-DCS = 22   → binary, not text
                  payload       → "fetch cell location, send it back"
[ your SIM ] --silent reply--> [ attacker infrastructure ]

The SIM dutifully executes the commands — retrieving the device’s cell location and transmitting it back — and the user sees nothing at all. The report describes this as turning the device into “a covert tracking beacon.” STA2’s footprint included over 1,700 SS7 attacks from a single Global Title between October 2023 and April 2025, of which 92% were tied to location tracking.

The “ghost” carriers that make it possible

You cannot send these queries from nowhere. They have to enter the global signaling network through some operator’s connection. Citizen Lab’s most actionable finding is the identification of the telecom entry and transit points that surveillance traffic repeatedly flowed through — operators acting, in effect, as ghosts riding on legitimate infrastructure:

• 019Mobile (Israel), which recurred as both an originating network and an intermediary routing node for Diameter surveillance, reachable through a partner network.
• Airtel Jersey / Sure Group (Channel Islands), configured as a first-hop proxy for 4G location queries, and previously named in prior telecom-surveillance investigations.
• Tango Networks UK (MCC 234 / MNC 053), whose Diameter signaling identifiers showed up across multiple years of activity.

The targeting spanned a long list of countries across Europe, Africa, the Middle East, and Asia. The point is not any single nation. The point is that the interconnect ecosystem is global, lightly policed, and rentable — and that “your carrier” is not a single trustworthy entity but a doorway into a network that trusts strangers.

Why your encrypted messenger can’t stop this

Here is the part that matters for anyone who has ever felt safe because their chats are end-to-end encrypted.

These attacks operate at the telecom infrastructure layer, below the application. Your messages can be sealed with perfect cryptography and it changes nothing, because the attacker is not reading your messages. They are asking the network where your phone is. The location of your handset is not message content; it is a property the carrier maintains in order to function, and the signaling protocols leak it.

application layer    →  your messages   (E2EE protects this)
─────────────────────────────────────────────────────────
telecom signaling    →  your location   (SS7 / Diameter leak this)
SIM / baseband       →  your device      (SIMjacker targets this)

End-to-end encryption draws a box around message content. SS7, Diameter, and SIMjacker operate entirely outside that box. This is the clearest possible illustration of a principle we keep returning to: content is only one of the things a communication reveals, and often not the most dangerous one. We made the broader argument in Metadata Is the Message; Bad Connection is that argument as a field report.

What RVNT does — and, honestly, doesn’t — do here

We are going to be very direct, because the honest answer here is more useful than a reassuring one.

RVNT cannot fix the SS7 or Diameter networks. No app can. The vulnerability lives in carrier signaling and on the SIM, which are owned and operated by your mobile network, far outside any messenger’s reach. Anyone who tells you their app makes you immune to SS7 location tracking is selling you something.

What RVNT can do is refuse to add to the problem, and reduce the identifiers an attacker can pivot on:

• RVNT identity is not your phone number. Many messengers bind your account to your phone number, which ties your secure identity directly to the carrier-controlled SIM and number that these attacks key on. RVNT identities are cryptographic, not telephone numbers — there is no number for an attacker to look up to find you. See the protocol overview.
• Your network location is decoupled from your traffic. RVNT routes traffic through Tor using an embedded Rust arti client, so your internet address — a separate location signal — isn’t trivially tied to what you send. That is a different layer from cellular location, but it closes a leak that would otherwise compound the problem.
• Metadata minimization is the whole posture. Sealed sender, padding, and maximum-privacy mixnet routing exist precisely because we treat the network’s exhaust as a secret, not a footnote.

The honest limit, stated plainly

If your threat model includes a well-resourced actor with telecom interconnect access, the only real mitigations for cellular location are at the device and SIM level, and they are blunt: keeping the radio off (airplane mode) when you need to be unfindable, using hardened mobile operating systems, and minimizing how tightly your real identity is bound to a SIM and number in the first place. These are physical-layer and operating-system problems, and we say so in our threat model rather than pretend an app can wave them away.

What RVNT changes is narrower and real: it ensures that when an adversary maps the telecom layer, your communications identity isn’t sitting there as another lookup key, and that the content and social graph of what you send aren’t waiting to be harvested alongside your coordinates.

The Bad Connection report is public, detailed, and worth reading in full. So is our code. Read both, and verify for yourself exactly which layer each one protects.