A company that sends SMS OTP codes on behalf of Google, Twitter, Facebook, etc. also helps governments to get precise locations of users

As a result of one of the most revealing cybersecurity investigations in recent times, the co-founder of Mitto AS, a well-known company that collaborates with some of the world’s leading firms to send security codes via SMS messages has been accused of selling access to some users’ mobile devices, which would help various authoritarian governments.

Mitto is a firm based in Switzerland and specialized in providing automated SMS messaging services for marketing campaigns, sending security codes, reminders and other practical applications. Mitto currently works with hundreds of organizations in more than 100 locations. Among Mitto’s main clients are tech giants such as Google, WhatsApp, Twitter, LinkedIn and Telegram, even working with Asian firms such as TikTok, Tencent and Alibaba, not to mention their partners in the phone operator industry.

An investigation by the Bureau of Investigative Journalism and reports shared by former employees claims that Ilja Gorelik, co-founder of Mitto, has been secretly selling access to the company’s networks for the identification and tracking of target users through their mobile devices and online profiles. According to the report, this practice was completely ignored by users and business customers, as it was only known to a small group within Mitto.

Gorelik and his accomplices contacted some surveillance companies in order to sell this service to various government agencies.

After the report’s release, Mitto issued a statement denying any connection to a surveillance operation, and an internal investigation was ordered to identify any possible malicious use of the company’s technology: “We will take corrective action should it be necessary,” Mitto concludes. The company also did not add further details about Gorelik and it is unknown if he is still working at the company.

The reports obtained by the researchers clearly contradict Mitto’s official stance; Two informants said that Gorelik ordered that custom software be added to the company’s networks to track certain users, a task carried out without any supervision, so they do not rule out its improper use.

Informants cited as an example a case in which the phone of a U.S. Department of State official was compromised for surveillance purposes in 2019. Former Mitto employees could not confirm which state actor was behind this follow-up campaign.

In addition to working with the aforementioned technology companies, Mitto collaborates with telephone operators such as Vodafone, Telefonica, MTN and Deutsche Tekekom. When questioned, most of the companies reserved any statement about it, while only one Vodafone representative responded by mentioning that they have collaborated with Mitto exclusively on SMS messaging services.

This investigation was possible thanks to the collaboration of dozens of people, including cybersecurity specialists and former employees of the company, in addition to the analysis of emails and internal documentation. While the people interviewed claim to have witnessed this practice, few people know the technical details behind the surveillance systems used by Mitto. The informants also mentioned that, to their knowledge, there is no evidence that this surveillance campaign has compromised additional information from companies using Mitto’s SMS service, although the company would have to allow a detailed investigation to know this for sure. 

These little-known practices, in addition to the work of firms such as NSO Group and its infamous Pegasus spyware, have become a national security issue for governments around the world, mainly in the U.S. Ron Wyden, a member of the U.S. Senate intelligence committee, mentions that, repeatedly, the U.S. Congress has warned about these security risks without the authorities being able to do anything about it.

At the moment, Mitto continues to address public relations issues, although everything seems to indicate that there is no intention to reveal more details about this surveillance system, which worries users, companies and privacy advocates alike.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.