Ghost in the network
How a Swiss tech expert runs a global phone surveillance system
In the decade since Edward Snowden’s leaks exposed the workings of the US and UK national surveillance apparatus, the market for spying services has fragmented and expanded into a start-up economy of location trackers, password crackers and data extractors. Investigations into this industry have focused on spyware companies like NSO Group and Intellexa. But here we expose a prolific actor in this space, operating not from a secret office building in the high tech hubs of Tel Aviv, Larnaca or Athens but from a modest terraced house on a sleepy sidestreet in the medieval town of Basel.
His name is Andreas Fink: maverick tech expert and telecom entrepreneur, former ally of Julian Assange and vocal critic of the security state, now turned surveillance industry enabler.
Our investigation shows how Fink has built a surveillance apparatus that he has put at the disposal of governments and companies around the world – including Israel’s Rayzone Group, a top-tier cyber intelligence company. Fink’s set-up is capable of exploiting loopholes in mobile phone connection protocols to track the location of phone users and even redirect their SMS messages to crack internet accounts.
Experts in the telecom security field agree: these activities are “a clear and present danger to anyone with a phone”.
For over a year, Lighthouse Reports worked with confidential sources in the telecom industry to build an unprecedented profile of Fink’s activity, rated by many industry experts as among the most significant sources of network attacks globally.
Central to understanding the Swiss’s operation was a list of network access points, called “global titles”. These GTs in industry jargon are not only operated by telephone service providers but also leased by private companies from SMS vendors to surveillance actors. GTs look like phone numbers. They send and receive data allowing phones to communicate with each other. Traffic through phone networks – such as requesting location info on a device – can be observed as coming from a particular GT. Working with industry insiders we developed a list of GTs which had been observed carrying out suspicious activities in different parts of the world. We were able to link these to specific operations, and cross-correlate them with other operations seen by analysts elsewhere.
Who owns or uses a particular GT is not always obvious, however, even to insiders. We could see that some of the GTs we observed were registered in public databases to Fink Telecom Services. But we also obtained leaked documentation with non-public lists of GTs used by Fink at different times.
Our resulting dataset has identified over 100 GTs linked to or used by Fink. From this list we focused on a smaller number of incidents, looking in detail at which GTs had been spotted working together on specific days in specific locations.
To understand this data we drew on multiple other resources. We obtained copies of communications between Fink and actual or potential business partners, as well as maps of his connectivity – that is, the companies he used as intermediaries to send requests into phone networks. We interviewed industry insiders and spoke in detail to security analysts who have been tracking his activities.
Together with Der Spiegel, Haaretz, Tamedia and Mediapart, we explore the hidden ecosystem of telecom network penetration and how Fink’s activities spanned the world.
In the Democratic Republic of the Congo, he demonstrated his surveillance system to intelligence officials. The demo involved him pinpointing the location of an individual who, the officials said, operated an anonymous defamatory anti-government Facebook account.
Approaching a phone company employee via social media, he offered $1000 per month for access to the employee’s West African phone network – access which he intended to use to “track suspects” in war-torn Mali. He didn’t say why or who for.
In South East Asia and Israel his systems were used to take over Telegram and other accounts by redirecting SMSes used to secure them.
In Guerrero, Mexico, a trace shows an effort to extract personal data, including location data, from a journalist’s phone. The next day, the journalist was shot dead. The trace goes back to a global title leased by Fink, although he says he was not using it at that time.
These stories emerge as industry bodies and European parliamentarians are looking at the neglected risks inside phone networks in the context of mounting concerns over widespread surveillance.