First Wap: A Surveillance Computer You’ve Never Heard Of

Mother Jones has a long article on surveillance arms manufacturers, their wares, and how they avoid export control laws:

Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish, First Wap’s European founders and executives have quietly built a phone-tracking empire, with a footprint extending from the Vatican to the Middle East to Silicon Valley.

It calls its proprietary system Altamides, which it describes in promotional materials as “a unified platform to covertly locate the whereabouts of single or multiple suspects in real-time, to detect movement patterns, and to detect whether suspects are in close vicinity with each other.”

Altamides leaves no trace on the phones it targets, unlike spyware such as Pegasus. Nor does it require a target to click on a malicious link or show any of the telltale signs (such as overheating or a short battery life) of remote monitoring.

Its secret is shrewd use of the antiquated telecom language Signaling System No. 7, known as SS7, that phone carriers use to route calls and text messages. Any entity with SS7 access can send queries requesting information about which cell tower a phone subscriber is nearest to, an essential first step to sending a text message or making a call to that subscriber. But First Wap’s technology uses SS7 to zero in on phone numbers and trace the location of their users.

Much more in this Lighthouse Reports analysis.

Tags: , , ,

Posted on October 27, 2025 at 7:08 AM16 Comments

Comments

DDNSA October 27, 2025 1:17 PM

Asking for a Friend: does it work for the suspects that always leave their phones at home? Oh, wait, they have drones for that. Or your neighbor’s cameras connected to the police department…

Captain Crunch October 27, 2025 3:31 PM

It would be nice to warn every number on that dataset but I would even go to the length of publishing all the numbers without names attached so that people could be aware of. Does anyone knows where the leak was published?

Clive Robinson October 27, 2025 3:36 PM

@ ALL,

KCS is just one failure of Stuart Anthony POOLE-ROBB

It’s a company mentioned in the article. When you chased it up, it gives some fairly curious half truths at best,

https://kcsgroup.com/about-us/

Stuart Anthony Poole-Robb, started out being a “Mod-Plod” equivalent in the UK Royal Air force and due to rapid changes in the world got pulled up the ladder as his body was in the right place at the right time…

But back around the early 1970’s it appears he added attempted removal / assassination of Greek Cypriot leader Archbishop Makarios to his CV…

As far as I can gather it was because of his previous involvement with a “Special Branch”[1] operation where Makarios was effectively kidnapped, held unlawfully, and shipped around the globe,

http://news.bbc.co.uk/onthisday/hi/dates/stories/march/9/newsid_3745000/3745505.stm

And that is not the least of things.

But what of his supposedly successful business life?

Well have a look at the multitude of companies and what happened to them,

https://find-and-update.company-information.service.gov.uk/officers/ff9HIVtZCPUWG2TLDFDYfzvQVF0/appointments

Thus take his published works with a grain of salt about the size of “Lot’s Wife”.

As for KCS Group something tells me it’s doing,

“A leap on the band waggon.”

With “bought in or stolen technology” that goes back to the 1990’s when I was involved with it.

Something I was Later doing for a small company that was chasing VC money. The technology used SS7 for doing “Traffic Census” by mapping Mobile Phone journeys was being keenly looked at by amongst others AT&T Mobile based up in Seattle.

The system had anonymity built in via a form of encryption I was involved with the design of. I got “uninvolved” when questions started getting asked about removing the anonymizing protections and tying things to other “black databases”.

[1] The UK Special Branch was the “enforcement arm” of the then UK Intelligence forces for “home operations”(think MI5 mainly). Whilst they were technically “Police Officers” only some were actually “warranted”, false ID’s and Warrant Cards were issued on an “as needed” basis. There has been a fluid relationship between the UK Met Police and MI5 since. Some may remember the “under cover operatives” that worked in supposed deep cover to undermine and attack protest groups. And shockingly as became clear sleeping with female “supposed suspects” was seen as a perk of the job since the 1980’s at least and some had children with them, then just disappeared leaving people literally “holding the baby”,

https://www.bbc.co.uk/news/uk-england-nottinghamshire-56820122

KC October 27, 2025 7:42 PM

@ Captain Crunch, All

Interestingly, it looks like this data trove spans 2007 to 2014 and contained 14,000 unique phone numbers across 160 countries.

I guess I am new to these types of investigations, because Geiger says he could use the phone number to lookup an identity.

Geiger: … I decide to take this phone number and put it inside basically a search engine that allows me to see social media accounts that are attached to a phone number. When I drop it in there, I get a name back. Gianluigi Nuzzi. It’s an Italian journalist and this Italian journalist is famous for investigating corruption at the Vatican.

It makes me wonder if the dataset will be released publicly, if it hasn’t already. (It’s reported that the archive investigation drew together over 70 journalists from 14 media outlets.)

They do mention a lot of prominent names. However, I’d guess every one of us is naturally at risk as … “Any entity with SS7 access can send queries requesting information about which cell tower a phone subscriber is nearest to

[First Wap] had a web portal that it used to demonstrate its product. That portal relied on SS7 connectivity through an Indonesian telecom carrier and via Liechtenstein’s national operator … The First Wap archive shows that Altamides routed hundreds of thousands of location-tracking queries—including those targeting Gianluigi Nuzzi—through Telecom Liechtenstein.

Adding that Telecom Liechtenstein has suspended its business relationship with First Wap, now.

In the last decade, a number of companies have developed products exploiting the SS7 system for surveillance purposes.

First Wap, industry insiders said, was the first.

“They were ahead of their time,” said a former manager

Winter October 28, 2025 1:24 AM

Any entity with SS7 access can send queries requesting information about which cell tower a phone subscriber is nearest to

I have heard there is a way to protect against this surveillance that has been used for some time by potential targets.

The central point is to decouple the phone number from the mobile device and use VoIP.

You by a SIM card + mobile and subscribe to a virtual phone number. The SIM card and it’s phone number are only used for internet/IP access. They are NEVER user to actually initiate or receive a call. This number is also never divulged and should not be under the target’s name.

All calls and communications are done using the virtual phone number over IP. Whose location is at some provider.

The SIM card/number and mobile can be changed as often as is considered necessary.

lurker October 28, 2025 4:18 AM

@KC

Geiger: … I decide to take this phone number and put it inside basically a search engine that allows me to see social media accounts that are attached to a phone number.

Most telcos blocked reverse lookups of phone nrs years ago, but social media is a horse of a different color . . .

Clive Robinson October 28, 2025 6:03 AM

@ Winter, ALL,

With regards,

“The central point is to decouple the phone number from the mobile device and use VoIP.”

Yes but as importantly the way it is done.

It’s not supposed to be allowed in the EU but the records of every phone call and just about every set of Internet traffic are,

1, Logged.
2, Put into business (third party) records.
3, Made available for money in what ever legal jurisdiction allows it.

As yhe old saying has it,

“There be Gold in them mountains all you have to do is mine them.”

And it’s the mining aspect that legislation is far far behind.

Basically if you put all those “third party business records” into a large database and run appropriate search quires by “UTC and Geo-location” they can “jump over most of the decoupling” you might have put in place.

Whilst averaging the results by some measure give a linkage map of increasing certainty, in reality only about three or four points will get the information with over a 19 out of 20 certainty or better.

You don’t need AI to do this just a simple database and search stratagy.

As I noted earlier I was involved with a company that was looking for VC funding and was actually doing this back in the early 2000’s.

What they did was take the SS7 information and use a hash table to randomly encrypt the User Identifier Details before putting it in their database.

As many will know the fact that the mobile journey waypoints got loged for doing the “traffic census” ment that even though the user information was stripped people driving to work or traveling by public transport would get linked and their home, work, or both locations identified as would be their habits.

Most people can not sufficiently randomise their behaviour with regards their daily routines.

I could go into further details about how this can be built into a complete profile but I’ve done that before.

The real fault is that nearly all E-Comms these days are Circuit based rather than Broadcast based and frequently have automatic “beaconing systems” built in.

Thus the mobile or “out station” location is known by the Operator “home station” where the third party records are kept.

Breaking this location and time information is virtually impossible with standard “consumer and commercial communications systems”

It’s one of the reasons I caution about Tor and similar. If they have one user/location point identifier and connection times, then your traffic will get identified by “habit” etc.

Privacy October 28, 2025 6:28 AM

Like so much in ICT, such as email, it was built without encryption and plaintext is used. It relies on trust between carriers.

Clive Robinson October 28, 2025 6:36 AM

@ lurker,

“social media is a horse of a different color…”

Nagh not a “horse” more like a “Komodo Dragon” where even a small scratch can end up making your life incurably bad twenty or more years afterwards…

From,

Deathly Drool :

Evolutionary and Ecological Basis of Septic Bacteria in Komodo Dragon Mouths

https://pmc.ncbi.nlm.nih.gov/articles/PMC2888571/

“The Komodo dragon (Varanus komodoensis) is the world’s largest lizard, with a mass up to 90 kg and a length of 3 m. …

… In some cases, the ultimate demise of [the] prey is purportedly due to more than just direct bite induced trauma, involving bacterial sepsis acquired from the lizard’s bite, or envenomation.”

Due to lack of study, even today, there is still a debate in the academic community about the type of bacteria. And importantly how it’s spread from dragon to dragon and to prey that escapes. But recorded medical data from some survivors of attacks show that it’s not something a few pills will solve. One argument is that like TB the pathogen can “hide dormant” in your body waiting for an opportune time to attack.

I wonder if the term “Dragon’s bite attack” could be registered 😉

Winter October 28, 2025 9:52 AM

@Clive

Breaking this location and time information is virtually impossible with standard “consumer and commercial communications systems”

Yes, but you can have a phone with a random phone number/SIM card bought anonymously somewhere (you can still do that in many places). That phone can go online using a VPN. You can communicate by way of VoIP, SMS, Signal, whatever on a virtual phone number. That virtual phone number is located in a data center. The data center does not know where the phone is. A VPN can be selected that has (some) trust with the user to protect the “identity” of the mobile device/SIM card.

The communications are not private, they happen on the known virtual phone number. But the connection between the virtual phone number and the “real” phone number of the SIM card is private. Therefore, the location of the user of the virtual phone number is protected.

Also, the virtual phone number can be persistent while the SIM cards/mobile devices can be exchanged as often as is seen fit.

Obviously, court orders and TLAs can find users, but random illegal parties much less so.

Clive Robinson October 28, 2025 3:10 PM

@ Winter, ALL,

With regards,

“Yes, but you can have a phone with a random phone number/SIM card bought anonymously somewhere”

That does not work and has not worked for decades.

Your mobile has an electronic serial number for the actual hardware.

Your Subscriber ID Module (SIM) has it’s own electronic serial number.

Both numbers get put in the logs these days. So changing the SIM etc does not change the mobile serial number.

It’s why authorities can find stolen phones that have been shipped to China etc (happens with a lot of high end Apple iPhones.

The fact is the “authorities” don’t do anything about it, for a couple of reasons,

1, Not doing anything means they can not screw up and therefore get sued.
2, It’s what “insurance cover” is for.

So they’ve completely “externalised” not just the risk, but the cost of taking any action. On fact some police if you try reporting the theft will –lets use the word– “discourage” you and ask for details they know you won’t have before they will “log the crime”…

So next to no cost and much better crime statistics, and make it somebody elses problem.

The only way a “Burner Phone” works these days is as a “one time device” where you’ve modified it such that the battery can be disconnected and charge entirely separately. Because the minute you connect it or fit a charged battery the SIM CPU fires up and trys to connect to any phone network in range irrespective of who is the “Service Provider”.

Remember in the past I’ve said that the “standards have been fritzed with” by the Five Eyes etc to make surveillance almost “trivial” usuall by saying it’s “Health and Safety”.

Well this is one of those examples. You turn the phone off take out the battery, pull the SIM, but then turn the phone on it connects to the “closest network” to get location and other data from the network and GPS, WiFi and Bluetooth, it then allows you to make “Emergency calls” and all that data gets downloaded to the “Operator” and logged along with the recorded conversation.

The thing is all that data can simply be requested via SS7 just by knowing the electronic serial number for the hardware.

Even ordinary users can do similar with a 3GPP, “GSM 03.48” “Class 0 SMS” message used as a “Silent SMS”,

https://www.efani.com/blog/what-is-a-silent-sms-attack

https://mandomat.github.io/2023-09-21-localization-with-silent-SMS/

Which can just “find the hardware”. In part the more general Class O SMS has had a name change to Flash SMS then another to SMS OTA. It’s supposedly “secure” but as the security is from ETSI, I for one won’t trust it. And people would be foolish to do so.

Each iteration appears to have made “control over the mobile device” by the Service or Network provider easier, but with poor security it suffers it also make life for criminals etc far far easier.

https://bsg.world/glossary/ota

Winter October 29, 2025 1:24 AM

@Clive

The thing is all that data can simply be requested via SS7 just by knowing the electronic serial number for the hardware.

All true, and all not the point.

SS7 et all can link your identity to your known phone number and your known IMEI number and then to your location.

The scheme used by those who protect people inserts a virtual known phone number in this chain. Now, there is no publicly known link between your virtual phone number and your SIM or device.

No one needs to knows the SIM phone number nor the IMEI, Not even the owner. The only thing anyone has to know is the virtual phone number.

Winter October 29, 2025 2:02 AM

@Clive

The thing is all that data can simply be requested via SS7 just by knowing the electronic serial number for the hardware.

Continued:

I seem to be unable to find the right words. Here is an advertorial where it is explained much better than I can.

Keep Your Personal Info Safe with a Virtual Phone Number
‘https://www.call.com/blog/virtual-mobile-phone-number-protect-data

Protect location data

Another great feature to virtual phone numbers is that they protect your location data. Regular phone numbers will use phone networks to send and receive calls and messages. So, there is always a set of data leading back to your location that could potentially be exposed. Virtual phone numbers, on the other hand, use a wireless internet connection. Protecting your location data over the internet is a much simpler task than protecting it over a phone network through the use of tools like VPNs. These tools can provide a lot more location anonymity to your communication. That anonymity, combined with encryption features like transport layer security (TLS) and secure real-time transport protocol (SRTP), means that virtual phone numbers are incredibly secure.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.