Editor’s note: Since this is an exclusive investigation, we offer only the basic details—and encourage you to read the original stories based on the hard work of reporters.

Say hello to Mitto

The company: Mitto AG was founded in 2013 by Ilja Gorelik and Andrea Giacomini. Though it is headquartered in Switzerland, most of its staff are in Germany and Serbia. 

The business: 

• Mitto is in the bulk messaging business—and leases “global titles” from telecom companies around the world. 
• Basically, it pays them so it can use their networks to send millions of SMSes to people around the world. 
• In the early days, it would send advertising or marketing messages. And by 2017, it had direct connections to mobile phone networks in more than 100 countries.
• It now delivers text messages to billions of phones in hard-to-access locations, such as Iran and Afghanistan.
• Mitto’s clients today include some of the biggest names in the tech business: Google, Twitter, WhatsApp, LinkedIn and Telegram—and Chinese companies like  TikTok, Tencent and Alibaba.
• These companies use Mitto to send messages that are part of the two-step verification process—which have now become a norm for tech security.

Point to note: Mitto is only one of many middlemen hired by tech companies to deliver messages to their customers. So every SMS you get from Google or Twitter is actually sent by a company like Mitto.

The big surveillance scam

Starting in 2017, co-founder and Chief Operating Officer Gorelik started secretly selling access to Mitto’s networks to surveillance companies. These companies contract with government agencies to help locate and track “persons of interest.” In other words, the exact same network used to deliver that password verification message was being used to spy on a person—and hack information from their phone.

How this works: Telecommunications companies use a protocol known as SS7, or Signalling System 7. It basically determines how different telecom networks exchange information and route phone calls between one another. The technology is old, dating back to the 1970s, and is riddled with security holes. But telecom companies continue to use SS7 because it is expensive to replace.

These holes in SS7 can easily be used to determine the physical location of mobile devices and intercept or redirect text messages and voice conversations. Thanks to its deals with telecom companies, Mitto had SS7 access—which Gorelik, in turn, passed on to the surveillance companies. 

Point to note: It is easiest to hack into SS7 when a person is travelling: “One of SS7’s key functions in these networks is handling roaming, where a subscriber to a ‘home network’ can connect to a different ‘visited network’ such as when traveling internationally.”

The TRG example: The Cyprus-based firm TRG Research and Development sells a software platform called Intellectus. It is used to track people’s locations, monitor their call and text message records and identify their connections on Facebook. Much like the NSO Group—maker of Pegasus—TRG insists it only sells to governments and law enforcement agencies. Four former employees confirm that Gorelik personally installed TRG software within Mitto’s computer networks. And they also confirmed that they used Mitto to obtain location data on targeted mobile phones—and in some cases call logs showing who particular people were contacting and when.

Not the first case: Other investigations have revealed similar hacking of phones using SS7 loopholes. A December 2020 report by Citizen Lab showed how another surveillance company Circles was snooping on phones on behalf of law enforcement/military in places like Botswana, Thailand, the UAE etc—all with a terrible human rights record.

An India angle: A previous investigation by the Bureau of Investigative Journalism showed how surveillance companies hijacked phone networks in various parts of the world—from Cameroon to the US—to locate Princess Latifa al-Maktoum. The daughter of Dubai ruler Sheikh Mohammed fled the country on a yacht—which was finally intercepted off the coast of Goa (explained here). What’s notable: They may have located Princess Latifa by hacking the phone of the yacht’s captain, Hervé Jaubert.

Speaking of the Middle East: Gorelik personally claimed to have connections to a national spy agency in the Middle East and was helping that country’s defense ministry track people’s locations.

Big silver lining to note: There is no evidence that the user data of any of the tech companies involved—be it Google or Twitter—was compromised.

The bottomline: A cyber policy expert sums up why this investigation matters:

“The biggest technology companies that provide critical services are blindly trusting players in this ecosystem who cannot be trusted. It’s dangerous for human rights. It’s dangerous for trust in an information society. And it’s dangerous for trust in companies.”

Reading list

You can check out the investigation into Mitto over at Bloomberg News—or read a more detailed version by the Bureau of Investigative Journalism. The BIJ also has a good piece on the dangers of SMS—and the weaknesses in the global telecom system. The Citizen Lab report on Circles does the best job of laying out how SS7 hacking works. If you want to refresh your memory on Pegasus, read our explainers here and here.