The U.S. Secret Service’s recent seizure of 300 SIM servers and 100,000 SIM cards in New York highlights a growing national security issue: the weaponization of telecom infrastructure for fraud, espionage, and large-scale cyber operations.

While SIM boxes have long been associated with telecom fraud, modern adversaries — including nation-state actors — increasingly combine them with GSM interceptors (IMSI catchers), SS7/SIGTRAN abuse, and even eSIM provisioning risks to create rogue telecom nodes.

SIM Boxes Role: From Fraud to Espionage

What They Are

• A SIM box (SIM server / GSM gateway) is a hardware device that holds dozens to thousands of SIM cards.
• It connects to cellular networks like a normal phone, but in bulk.
• Originally used by call centers and businesses to lower call costs (routing VoIP → GSM).

But attackers can reconfigure them to act like miniature telecom nodes, inserting themselves into the mobile network flow.

Section 1: How SIM Box Attacks Work — Detailed Breakdown

1. Bypassing Telecom Monitoring & Billing (Fraud)

How it works:

• Normally, when you make an international call, telecom carriers charge higher rates and log traffic through official gateways.
• A SIM box tricks the system by routing international calls as local calls.
• It works by:
  1. Receiving an international VoIP call (over the internet).
  2. Using one of its hundreds of SIM cards to re-originate the call as if it’s local.
  3. Recipient sees a local number, carrier loses revenue, and monitoring systems think it’s normal traffic.

Why it’s possible:

• SIM boxes mimic legitimate users, often spread across hundreds of SIM cards to avoid detection.
• Carriers struggle to distinguish between a SIM box call and a real subscriber.

Example:

• A fraud operator in Nigeria receives a VoIP call from the U.S.
• Instead of going through the official carrier route (with $0.25/min fee), the SIM box sends it out via a local prepaid SIM ($0.02/min).
• Multiply this by millions of calls daily, and telecoms lose billions annually.

2. Mass Phishing & Smishing Campaigns

How it works:

• A SIM box with 1,000 active SIM cards can blast SMS messages at scale.
• Attackers send fake banking alerts, OTP requests, or package delivery texts.
• Messages come from real local numbers, making them harder to block.

Why it’s possible:

• Carriers often filter bulk SMS from known gateways, but can’t easily block thousands of small SIM cards each sending 50–100 texts.
• SIM boxes can rotate SIMs and spoof sender IDs to evade detection.

Example:

• During UN Assembly week in New York, attackers could send: “Security Alert: Your State Department account needs revalidation. Click here: secure-portal-login[.]com”
• If even 1% of 1 million recipients click, thousands of credentials could be stolen in hours.

3. Interception of Sensitive Calls/Messages

How it works:

• SIM boxes can be configured as rogue telecom nodes.
• By controlling call routing, attackers can:
  • Record calls passing through.
  • Clone SIMs to silently receive SMS OTPs.
  • Man-in-the-middle SMS (delivering OTP to user but also forwarding a copy to attacker).

Why it’s possible:

• Telecom networks still rely heavily on SS7 signaling (outdated, insecure protocol).
• If attackers control SIM infrastructure, they can abuse SS7 flaws to reroute or intercept traffic.

Example:

• A diplomat calls Washington via mobile.
• Call passes through a hijacked SIM server.
• Attackers record the conversation before routing it forward.
• The diplomat never notices anything unusual.

4. SIM-Based Command & Control (C2) for Cyber Operations

How it works:

• Instead of internet-based C2 servers (which are easy to detect), attackers use SIM cards as covert communication channels.
• Malware on infected systems can:
  • Send SMS commands (“exfil data”, “launch ransomware”) to the SIM box.
  • Receive C2 instructions disguised as harmless texts.

Why it’s possible:

• SMS is still widely supported and harder to monitor than HTTP/S traffic.
• SIM boxes provide redundancy — if one SIM is blocked, attackers switch to another.

Example:

• A botnet in the U.S. is programmed to check SMS messages from a list of phone numbers every 10 minutes.
• Attacker sends: “#CMD:UPLOAD /docs/*.pdf 203.0.113.5”
• Bots receive this via SMS routed through SIM servers → exfiltrate sensitive documents.

Section 2: SIM Boxes – Rogue Telecom Node

A rogue SIM box abuses its ability to:

• Terminate traffic (calls/SMS) into mobile networks.
• Route traffic across different SIMs/networks.
• Masquerade as normal subscribers.

With custom firmware, they can mimic behavior of legitimate telecom elements like:

• Base Transceiver Stations (BTS) – cell towers.
• Signaling nodes (SS7/SIGTRAN) – for call setup.
• SMS Centers (SMSC) – for routing SMS.

Section 2.1: Ways SIM Boxes Are Turned Into Rogue Nodes

(a) Call/SMS Interception

• SIM boxes can be configured to terminate inbound calls/SMS and then re-originate them, giving attackers a chance to:
  • Record the communication.
  • Modify payloads (e.g., change OTP SMS).
• This effectively makes the SIM box a man-in-the-middle.

Example:

• Diplomat receives an OTP SMS from a bank.
• SMS is first routed through the SIM box → attackers copy the OTP → then forward to the diplomat.

(b) IMSI-Catcher Integration

• SIM boxes can be paired with rogue base stations (IMSI catchers / Stingrays).
• Process:
  1. IMSI catcher tricks nearby phones into connecting.
  2. Captured traffic is forwarded through SIM box SIMs to reach real carriers.
  3. Attacker now relays all traffic, while maintaining invisibility.

Result: The SIM box becomes a “bridge” between a fake cell tower and the real network.

(c) SS7 Exploitation

• If attackers gain access to SS7/SIGTRAN signaling via SIM box software, they can:
  • Request call forwarding.
  • Reroute SMS to attacker-controlled SIMs.
  • Query subscriber location.

Example:

• Using SS7 commands, attacker sets up “silent call forwarding” → all calls to a VIP silently mirror to attacker’s SIM box.

(d) SMSC Emulation

• With modified firmware, SIM boxes can behave like SMS Centers (SMSC).
• This allows them to:
  • Queue, delay, or drop SMS messages.
  • Insert malicious SMS payloads (phishing, fake alerts).

Example:

• Instead of delivering a bank’s real OTP SMS, SIM box replaces it with: “Your account has been locked. Enter your login here: secure-login[.]net”

Why It Works

• Telecom trust model is weak:
  • Carriers often don’t validate whether a node is truly part of the official infrastructure.
  • SS7/SIGTRAN protocols were designed in the 1980s without authentication.
• SIM box traffic looks like normal subscribers:
  • A SIM sending calls/SMS from New York looks no different from a human user.
• Scaling with 100,000 SIMs:
  • If one SIM gets flagged, the system rotates automatically.

Section 3: How Call/SMS Interception Technically Works With SIM Boxes

Normal SMS Flow (No Attack)

When a bank sends you a one-time password (OTP) SMS:

1. Bank server → SMSC (SMS Center of its carrier).
2. SMSC → Telecom interconnect (may cross multiple carriers if international).
3. Recipient’s carrier → Cell Tower → Phone.

✔ The message is encrypted over the air (between tower ↔ phone), but in the carrier core it’s cleartext.
✔ No end-to-end encryption exists in legacy SMS.

Section 3.1: How Attackers Insert a SIM Box Into the Flow

A SIM box alone can’t intercept SMS directly, but attackers configure them as rogue endpoints or relays in the telecom system.

Some common technical attack methods are:

Method A: SS7 Exploitation (Core Network Hijack)

• SS7 (Signaling System 7) is the global protocol used to set up calls and deliver SMS.
• It has no authentication → anyone with SS7 access can send commands like:
  • UpdateLocation → reroute a subscriber’s SMS to another MSC (Mobile Switching Center).
  • SendRoutingInfoForSM → tell the SMSC that the target’s location is the SIM box instead of the real phone.

How UpdateLocation and SS7 Commands Enable SMS Rerouting

When you receive an SMS:

1. Originating SMSC (Short Message Service Center) asks:
   SendRoutingInfoForSM → “Where is subscriber +1-212-555-1234 currently located?”
2. HLR (Home Location Register) responds with the MSC (Mobile Switching Center) currently serving you.
3. SMSC forwards the SMS to that MSC, which then delivers to your phone.

✔ Works fine if all participants are honest.

Attack With UpdateLocation

UpdateLocation is an SS7 command used when a subscriber moves to a new network (e.g., roaming abroad).

• Attacker abuses this by sending a fake UpdateLocation message to the HLR:
  • “Subscriber +1-212-555-1234 is now served by MSC-ID = [attacker-controlled node / SIM box].”
• HLR updates its records.
• From now on, all incoming SMS for that subscriber are routed to the attacker’s MSC.

Result:

• OTP SMS from a bank → goes to attacker’s SIM box first.
• Attacker copies OTP.
• SMS is either forwarded to the real MSC or silently delivered later.

Other Abusable SS7 Commands

• SendRoutingInfoForSM (SRI-SM): lets attackers query where a subscriber is (location leaks, surveillance).
• InsertSubscriberData: can provision/change services, e.g., enable call forwarding.
• ForwardShortMessage: lets attackers inject SMS directly.

Flow in attack:

1. Attacker sends SS7 command to reroute OTP SMS to their SIM box SIM.
2. OTP is delivered to SIM box first.
3. SIM box software logs the OTP.
4. SIM box forwards SMS to the real recipient (so they never notice).

Example:

• Bank sends OTP: “Your code is 482191”.
• SIM box logs → 482191.
• OTP still arrives to the diplomat’s phone normally.

This is possible because SMS routing relies on trust between carriers, and SIM boxes (especially with gray-market SS7 access) can impersonate network elements.

How Attackers Get SS7 Access (Observed in Real Cases)

1. Leased Access via “Grey Market” Resellers

• Smaller telecom operators (especially in developing regions) sometimes resell or sub-lease SS7/SIGTRAN connectivity to third parties.
• On underground forums, actors advertise “SS7 services” — typically marketed for:
  • Location tracking of phone numbers.
  • Intercepting SMS OTPs for banking.
• This has been reported in Europol, ENISA, and Citizen Lab research.

Risk: Criminals don’t need to hack a carrier directly; they just buy services from brokers who already have interconnect access.

2. Compromised or Insider Accounts

• Some attackers bribe or recruit insiders at telecom companies.
• With even low-level access to a carrier’s SS7 gateway or signaling equipment, insiders can run location lookups, set forwarding rules, or dump SMS.
• Example: In Eastern Europe, law enforcement documented cases where rogue employees sold “SS7 lookups” for a few hundred dollars each.

3.Exploiting Weak SS7 Gateways

• Many smaller carriers expose SS7/SIGTRAN interfaces to the internet with weak security (no filtering, no authentication).
• Attackers scan for misconfigured gateways, then:
  • Send malicious UpdateLocation or SendRoutingInfoForSM messages.
  • Inject themselves into routing.
• This technique has been used in multiple real-world surveillance campaigns (e.g., targeting dissidents or journalists).

4. Piggybacking Through VoIP/Wholesale Providers

• Certain VoIP or SMS wholesale providers have legitimate SS7 interconnects to carriers.
• If their systems are hacked, attackers inherit their trusted connectivity.
• This has happened in fraud rings, where compromised SMS aggregators were used to reroute OTP traffic.

5 .State-Level or APT Abuse

• Intelligence services in some countries have direct SS7 interconnects through their national carriers.
• Leaked reports suggest these links are sometimes abused for:
  • Mass location tracking.
  • Monitoring targets abroad.
  • Intercepting SMS for espionage.

Can a ChineseForeign Carrier Intercept OTPs Across Borders?

The Global Nature of SS7

• All mobile carriers worldwide are interconnected through SS7/SIGTRAN to allow:
  • Roaming (so your U.S. SIM works abroad).
  • Cross-border SMS (e.g., banks sending OTPs internationally).
  • International calls.
• This means a foreign carrier can query subscriber data from another carrier via the SS7 network — unless the target carrier filters or blocks it.

How a Foreign Carrier Could Abuse It

A malicious or state-directed carrier could:

1. Send a “SendRoutingInfoForSM” request for a U.S. phone number.
   • Returns the Mobile Switching Center (MSC) currently serving the subscriber.
   • Reveals the target’s rough location.
2. Send a fake “UpdateLocation” command to the Home Location Register (HLR) of the U.S. carrier.
   • Pretends the subscriber is roaming in China Telecom’s network.
   • HLR updates its record: “This subscriber is now served by [China Telecom MSC].”
3. Bank sends OTP SMS → U.S. carrier checks HLR → sees subscriber “roaming” in China → routes the SMS to China Telecom MSC.
   • China Telecom logs the OTP.
   • Message may still get forwarded to the real U.S. device (so victim notices nothing).

Why This Attack Is Feasible

• SS7 is based on trust — if a carrier has SS7 interconnect, it can send signaling commands to any other carrier worldwide.
• Many carriers still don’t have strict SS7 firewalls or anomaly detection.
• Nation-states with direct access to their own carriers (e.g., China Telecom, Russia’s Rostelecom) can use this at will.

Real-World Evidence

• 2017 O2 Telefónica Case (Germany): Criminals used SS7 to reroute SMS OTPs from banks → accounts drained.
• 2018–2020 Reports (GSMA, FireEye, ENISA): Documented state-linked actors using SS7 to track dissidents, journalists, and foreign officials.
• U.S. Government Reports: DHS explicitly warned that foreign adversaries can abuse SS7 to spy on U.S. subscribers abroad and domestically.

What Is SIGTRAN?

• SS7 (Signaling System 7): Legacy telecom signaling protocol used since the 1980s for call setup, SMS routing, roaming, etc.
• SIGTRAN (Signaling Transport): The IP-based extension of SS7, which allows carriers to send SS7 messages over IP networks (instead of old TDM lines).

Think of SIGTRAN as SS7 running over IP.

• Uses SCTP (Stream Control Transmission Protocol) for transport.
• Messages are identical to SS7, just over TCP/IP instead of dedicated telco circuits.

Why SIGTRAN Matters for Security

1. Opens SS7 to IP networks
   • Traditional SS7 was “semi-isolated” on telco links.
   • With SIGTRAN, SS7 signaling travels over IP — meaning attackers can target it like any other IP-based service.
2. More Exposure
   • Smaller carriers, SMS aggregators, and VoIP providers may expose SIGTRAN interfaces to the wider internet.
   • Weak or misconfigured firewalls = attackers can directly send SS7 commands into the core.

How Attackers Abuse SIGTRAN

1.Unauthorized Access to HLR/VLR

• Using SIGTRAN, an attacker can send fake SS7 commands to core databases:
  • SendRoutingInfoForSM (SRI-SM) → reveal where a subscriber is (location tracking).
  • UpdateLocation → reroute a subscriber’s SMS to an attacker-controlled MSC.
  • InsertSubscriberData → provision malicious services like call forwarding.

Example:

• Bank sends OTP SMS → attacker’s SIGTRAN command reroutes it to SIM box MSC → OTP intercepted.

2.SMS Interception via SIGTRAN + SIM Boxes

• SIM boxes by themselves can’t modify routing.
• But with SIGTRAN abuse, attackers can:
  • Make the HLR believe the subscriber is “roaming” on a fake MSC tied to SIM box SIMs.
  • Force SMS traffic (like OTPs) to terminate inside the SIM box cluster.
  • Log messages → then forward to real MSC → victim never suspects.

3. Call Hijacking

• Using CallForwarding or UpdateLocation, adversaries can silently reroute calls to their own MSC.
• Useful for eavesdropping or impersonation.

4. Fraud (Billing Bypass)

• Attackers abuse SIGTRAN to:
  • Re-route international calls to appear as local (grey routing).
  • SIM boxes terminate calls cheaply, while telcos lose revenue.
• This is why SIM boxes are often called “GSM gateways for grey routes.”

5. Mass Smishing / Spam

• With 100k SIMs + SIGTRAN signaling, attackers can:
  • Send millions of phishing SMS messages.
  • Rotate SIMs to avoid detection.
  • Spoof sender IDs more easily.

Why It’s Still Possible in 2025

• SS7 trust model → no authentication.
• SIGTRAN runs on IP → attackers can find exposed gateways.
• Smaller carriers/aggregators → often have weak firewalls, no filtering.
• Legacy fallback → even with 4G/5G, many carriers still allow 2G/3G + SS7/SIGTRAN for roaming.

Method B: Man-in-the-Middle With IMSI Catcher

GSM Interceptors (IMSI Catchers)

How to intercept mobile communications (calls and messages) easily without hacking

What They Are

• Rogue base stations that mimic legitimate cell towers.
• Nearby phones connect automatically.

Capabilities

• Capture IMSI/IMEI identifiers (subscriber identity).
• Force downgrade to 2G → strip encryption.
• Intercept calls and SMS before they hit the network.

Limitation

• Must be physically close to the target (hundreds of meters to a few kilometers).

If SIM box is combined with an IMSI catcher (fake base station / Stingray).This works because over-the-air SMS encryption (A5/1, A5/2, etc.) can be downgraded or broken by rogue BTS equipment.

Method C: Direct SIM Cloning

How SIM Cloning Works (Deep Dive)

The Role of the Ki (Secret Authentication Key)

• Each SIM (or eSIM profile) contains:
  • IMSI (International Mobile Subscriber Identity) → the “phone number identity.”
  • Ki (secret key) → never supposed to leave the SIM. Used in challenge-response with the carrier.

When a phone connects:

1. The carrier sends a random challenge.
2. SIM computes a response using Ki.
3. Carrier verifies against its HLR/AuC.

As long as Ki is secret, only the real SIM can authenticate.

Legacy GSM Weaknesses

• In 2G GSM (COMP128 algorithm):
  • The challenge/response process leaked enough info to eventually recover Ki.
  • Tools + rainbow tables could brute force Ki in hours or days.
• Once Ki was extracted:
  • Attacker could write it to a blank SIM card (clone).
  • Both SIMs could authenticate as the same user (IMSI+Ki pair).

This is the classic SIM cloning attack seen in the 2000s → often used for fraud and call interception.

Why It Still Matters in 2025

• Many carriers still allow fallback to 2G/3G for compatibility:
  • Roaming.
  • Legacy IoT devices.
• Even if you have a 4G/5G SIM, if the attacker forces your phone down to GSM, they can attempt a Ki extraction attack.
• Equipment like IMSI catchers (Stingrays) can force this downgrade.

So even with 5G rollout, the weak link is backward compatibility.

SIM Swap vs. SIM Cloning

• SIM cloning = cryptographic duplication (steal Ki, make clone).
• SIM swap = administrative fraud (convince carrier to port number to attacker SIM).
• Both result in attacker receiving your SMS/OTP.

What About eSIMs?

eSIM Basics

• An eSIM is not fundamentally different from a physical SIM:
  • Still stores IMSI + Ki.
  • Still performs challenge-response.
• Difference = it’s a rewritable profile stored in the phone, downloaded via QR code or carrier provisioning server.

New Attack Surfaces With eSIM

• Profile Theft:
  • If an attacker compromises the carrier’s SM-DP+ provisioning server, they can issue duplicate eSIM profiles.
  • Equivalent to SIM swap at scale.
• Man-in-the-middle During Provisioning:
  • If attacker intercepts or spoofs the QR provisioning process, they might trick a victim into installing a malicious eSIM profile.
• Insider Threats:
  • Just like SIM swap, an insider at the carrier can push an attacker-controlled eSIM profile to replace the victim’s.

Why eSIM Is Harder to Clone Cryptographically

• eSIMs typically enforce newer authentication algorithms (MILENAGE for LTE/5G).
• Ki extraction attacks (like old COMP128 cracking) are no longer practical against modern eSIMs.
• However, since carriers still allow legacy fallback, the subscriber identity can still be attacked if:
  • The eSIM is downgraded to GSM.
  • Carrier uses weaker authentication for legacy compatibility.

Why Adversaries Deploy SIM Boxes Locally (e.g., Near the UN)

Even if SS7 abuse can be done remotely, local SIM box deployments offer:

• Bypass of geo-filters: Traffic appears as trusted U.S. subscribers.
• Direct interception: When paired with IMSI catchers.
• Mass smishing capacity: Millions of SMS to high-value targets at once.
• Redundancy: Works even if SS7 firewalls block foreign requests.

This explains why the Secret Service treated the NYC seizure as a national security event — it was during the UN Assembly, with diplomats concentrated in one area.

Case Study: SIM Box + GSM Interceptor Attack on Diplomatic Communications

Stage 1 — Initial Setup

• Adversary (state-sponsored unit) sets up two pieces of kit:
  1. GSM Interceptor (IMSI Catcher / Stingray): Deployed in a van or hotel near the UN. Pretends to be a strong local tower (2G/3G).
  2. SIM Box Cluster: Installed in a hidden location with hundreds of U.S. carrier SIMs. These SIMs act as “subscribers” inside U.S. networks.

Purpose: GSM interceptor captures traffic locally, SIM box relays it invisibly into the network.

Stage 2 — Target Acquisition

• Diplomat arrives in NYC with their personal or official phone (U.S. SIM).
• Phone automatically connects to the fake tower (IMSI catcher) because it has stronger signal.
• Attacker immediately:
  • Logs the IMSI/IMEI (unique identifiers).
  • Forces a downgrade from 4G/5G → 2G to strip encryption.

Result: The diplomat’s traffic now flows through the attacker’s tower.

Stage 3 — Call/SMS Interception

• When the diplomat receives an SMS OTP from a bank, or a sensitive call:
  1. IMSI catcher intercepts it first.
  2. Instead of dropping the message (which would alert the victim), the interceptor passes it into the SIM box cluster.
  3. SIM box re-injects the traffic into the real U.S. network, making it appear legitimate.

Outcome:

• Diplomat receives OTP SMS as normal.
• SIM box logs OTP before forwarding.
• Calls can be recorded, replayed, or modified.

Stage 4 — Active Exploitation

• With OTP access, adversaries can:
  • Hijack email or cloud accounts.
  • Access financial platforms.
  • Spoof messages back to staff for social engineering.
• With call interception, adversaries can:
  • Eavesdrop on diplomatic conversations.
  • Manipulate call routing (e.g., drop or delay calls).

Stage 5 — Scale of Operation

• The Secret Service seized: 300 SIM servers + 100,000 SIM cards.
• With this setup, adversaries could:
  • Rotate SIMs constantly to avoid detection.
  • Send millions of smishing messages during the UN week.
  • Maintain persistent access across multiple carriers.

This isn’t just one diplomat → it’s potentially hundreds of high-value targets simultaneously.

Mitigation Recommendations

For Carriers

• Decommission 2G/3G fallback.
• Deploy SS7/SIGTRAN firewalls to filter malicious signaling.
• Detect duplicate IMSIs across multiple locations.
• Harden eSIM provisioning servers with strict HSM-based controls and insider monitoring.

For Enterprises

• Stop using SMS OTP for authentication.
• Move to hardware keys (FIDO2, YubiKeys) or app-based MFA.
• Subscribe to telco risk feeds (detect SIM swap/clone anomalies).

For High-Value Users (diplomats, executives, journalists)

• Treat SMS as insecure.
• Use end-to-end encrypted messengers (Signal, WhatsApp).
• Request SIM swap locks from carriers.
• Carry separate secure comms devices for personal/banking/government work.

Conclusion

The seizure of 300 SIM servers and 100,000 SIMs in New York is not just a fraud case — it reflects the blended use of legacy telecom weaknesses, physical rogue nodes, and global signaling abuse in modern cyber-espionage.

• SIM boxes alone = fraud at scale.
• GSM interceptors alone = localized surveillance.
• SS7/SIGTRAN abuse alone = global rerouting.
• Together = rogue telecom nodes capable of national-level disruption.

The telecom ecosystem remains a critical but fragile piece of global infrastructure. Until carriers fully retire legacy protocols and enterprises abandon SMS-based security, attackers — from fraudsters to nation-states — will continue to exploit it.