Former employees claim that Mitto AG’s network used to track people via mobile phones.
According to former workers and clients, the co-founder of a company trusted by technology giants like Google and Twitter to supply sensitive passwords to millions of their consumers also managed a service that eventually enabled governments discreetly surveil and track mobile phones.
Mitto AG has built a reputation as a provider of automated text messages for things like sales promotions, appointment reminders, and security codes required to log in to online accounts since its establishment in 2013, advising customers that text messages are more likely to be noticed and engaged with than emails in their advertising strategies.
Mitto, a privately owned company based in Zug, Switzerland, has started its business by establishing partnerships with telecom operators in more than 100 countries. It negotiated deals that allowed it to send text messages to billions of phones in almost every country on the planet, including Iran and Afghanistan, which are extremely difficult for Western corporations to infiltrate into. According to Mitto documents and former employees, the company has attracted large technology companies as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn, and messaging software Telegram, as well as China’s TikTok, Tencent, and Alibaba.
However, according to a Bloomberg News investigation conducted in partnership with the Bureau of Investigative Journalism in London, Mitto’s co-founder and chief operating officer, Ilja Gorelik, was also selling access to Mitto’s networks in order to discreetly find people via their mobile phones.
According to four former Mitto employees, the fact that Mitto’s networks were also being used for surveillance wasn’t shared with the company’s technological clients or the mobile operators Mitto works with to distribute its text messages and other data. According to these people, only a limited number of people within the organization were aware of the other service. According to the employees, Gorelik offered the service to surveillance-technology businesses, which then contracted with government agencies.
Mitto published a statement claiming that the company had no role in the surveillance industry and that an internal investigation had been launched “to determine if our technology and business has been compromised” then Mitto would “take corrective action if necessary”.
“We are shocked by the assertions against Ilja Gorelik and our company,” according to the company. “To be clear, Mitto does not, has not, and will not organize and operate a separate business, division or entity that provides surveillance companies access to telecom infrastructure to secretly locate people via their mobile phones, or other illegal acts. Mitto also does not condone, support and enable the exploitation of telecom networks with whom the company partners with to deliver service to its global customers.”
Requests for comment from Gorelik were not returned. Gorelik’s current position with Mitto was not discussed by a Mitto representative.
Two former employees of a company that provides intelligence-gathering technology to government agencies and law enforcement said their company worked with Gorelik to install custom software at Mitto that allowed their customers to track the locations of mobile phones and, in some cases, obtain call logs for specific people. There was essentially no control of alleged surveillance carried out via Mitto’s technology during the time the former employees claim they were engaged in the task, presenting potential prospects for misuse, they claim.
According to a cybersecurity analyst familiar with the situation and documents reviewed by Bloomberg News, at least a phone number linked with a top US State Department official was targeted for surveillance in 2019 using Mitto’s equipment. Because of a confidentiality agreement, the analyst demanded anonymity. It’s unclear who was behind the efforts to target the official, who was not named in the materials or by the analyst.
The disclosures, according to Marietje Schaake, international policy director at Stanford University’s Cyber Policy Center, are “troubling” and show a “huge problem.”
“The biggest technology companies that provide critical services are blindly trusting players in this ecosystem who cannot be trusted,” said Schaake, after being told about Bloomberg’s and the Bureau’s reporting. “It’s dangerous for human rights. It’s dangerous for trust in an information society. And it’s dangerous for trust in companies.”
Senator Ron Wyden, a Democrat from Oregon and a member of the Senate intelligence committee, advised that he had previously voiced concerns about security flaws in US phone networks, which he thought could be used to spy on government officials. “I’m very concerned that the federal government has done nothing to protect federal employees from this sophisticated surveillance threat,” Wyden said.
According to corporate documents, Mitto’s partner networks have included Vodafone, Telefonica, MTN, and Deutsche Telekom. Vodafone’s enterprise division has partnered with Mitto to deliver text-messaging services in two countries, according to the company. A Telefonica spokesperson said he couldn’t confirm whether the company had a partnership with Mitto right away, but that he was looking into it. Requests for response from MTN and Deutsche Telekom were not returned.
There’s no indication that the monitoring operation compromised any data of the tech companies that rely on Mitto to send messages. Twitter and WhatsApp representatives declined to comment. A spokesman for LinkedIn, which Mitto lists as a client on its website, said the firm does not engage with Mitto and would not say whether it did in the past. Alibaba stated that it was unable to confirm any connection to Mitto at this time. Google, Telegram, TikTok, and Tencent representatives did not respond to queries for comment.
The discoveries provide yet another example of governments and private companies reportedly exploiting security flaws in global telecommunication infrastructure to spy on citizens. The market for mobile phone surveillance technologies has been evaluated at $12 billion, because of a spike in technology capabilities that allows governments to hack, track, and otherwise monitor people’s phones and communications. Despite the industry’s magnitude, companies that provide the tools frequently operate outside of the public eye and are subject to little oversight.
Many monitoring businesses and their government clients, such as Israel’s NSO Group, claim that the technology is used to catch criminals and terrorists. However, according to reports from media organizations and digital rights organizations, governments have abused surveillance technology to spy on dissidents, journalists, and others in recent years.
“The private sector surveillance industry is growing fast, but it’s operating in the dark, without any accountability or transparency, and there have been real human rights implications because of that,” said Jonathon Penney, a research fellow at Citizen Lab, a research group at the University of Toronto that has repeatedly exposed alleged misuse of surveillance technology.
Mitto was launched in 2013 by Gorelik and Andrea Giacomini, two European businessmen who had a passion for telecommunications. According to former Mitto employees, while the company’s headquarters are in Switzerland, the majority of the company’s about 250 employees have been situated in Germany and, more recently, Serbia.
According to company records, Gorelik began his career as an IBM IT professional before becoming a technology entrepreneur and investor, contributing to the development of the Lovoo dating app.
He supported the development of Mitto’s technical infrastructure. Former colleagues claim he sent emails under a pseudonym and planted malware on their computers.
Mitto leased hundreds of “global titles” from telecommunications firms, which are unique addresses used to route messages, allowing the Swiss firm to send text messages in bulk to people all over the world.In the beginning, Mitto’s core business was offering marketing and advertising services. According to former Mitto employees, businesses would pay Mitto to send millions of text messages promoting items or events. According to former employees, the company specialized in sending security codes to its customers through text message, giving out one-time passwords and two-factor authentication codes that allow consumers to authenticate their identity when logging into or creating accounts on websites.
Mitto had developed direct links to mobile phone networks in over 100 countries and formed relationships with significant telecommunications firms by 2017.
According to four former Mitto employees, between 2017 and 2018, Gorelik began offering surveillance-technology companies access to Mitto’s networks, which were subsequently used to find and track people via their mobile phones.
The alleged scheme entailed exploiting flaws in the SS7, or Signaling System 7, communications protocol, which serves as a sort of switchboard for the global telecommunication industry. SS7, which was first designed in the 1970s, has a number of documented weaknesses that governments and commercial surveillance businesses have used to spy on phones in the past.
According to a 2017 assessment from the US Department of Homeland Security, security flaws in SS7 allowed an adversary to establish the physical location of mobile devices and intercept or divert text messages and voice conversations.
Despite security issues, mobile network operators continue to utilize SS7-based technologies, in part because they are expensive and difficult to change, according to Tobias Engel, a researcher who specializes in mobile phone network security. Mobile phone network operators can use firewalls to detect and stop surveillance attempts that take advantage of SS7 security flaws, but those systems must be updated and tested on a regular basis, according to him.
According to former workers, Mitto’s partnerships with telecommunications organizations provided the company with SS7 access, which Mitto could use to route text messages in bulk throughout the world’s mobile networks.
According to Pat Walshe, a privacy specialist with more than two decades of experience in the telecommunications business, “there is a lack of audit and accountability” in this procedure, which allows SS7 access to be exploited for surveillance purposes.
Gorelik allegedly provided monitoring services to various companies, according to four former Mitto workers familiar with his claimed operations. According to former employees, Gorelik allegedly told certain colleagues that he had contacts to a national espionage agency in the Middle East and was assisting that country’s defense ministry in tracking people’s locations.
TRG Research and Development, based in Cyprus, used Mitto’s network to provide surveillance services to customers from 2019 to 2021, according to four former employees. Due to confidentiality agreements, the employees demanded anonymity.
TRG’s Intellectus software platform, which employs third-party applications to supply information requested by government agencies, is available to governments and law enforcement agencies. TRG’s aim is to “help our customers in the fight against crime and terror,” according to its website, by delivering “conclusions based on our data collection and data fusion engines.”
Two former TRG workers said that business employees had worked directly with Gorelik, obtaining location data on targeted mobile phones and, in some cases, call logs showing who specific people were calling and when, using Mitto’s access to worldwide mobile phone networks. TRG had used Mitto’s network, according to the other two former employees, but they couldn’t establish whether Gorelik was personally involved.
TRG has never had a “commercial relationship” with Mitto and has never worked with Gorelik, according to a company representative. “If anyone within TRG or Mitto has” had such relationships, it is a personal relationship and is not related to TRG, the spokesperson said. A Mitto representative declined to comment on the company’s alleged relationship with TRG.
According to the spokesman, Intellectus is run entirely by customers.
According to a TRG representative, government customers sign an end-user statement confirming that the technology is handled in accordance with their national laws and that the system is not being abused. “TRG has an internal legal & compliance department which conducts thorough due-diligence checks for each and every end user,” the spokesperson said. “Automated algorithms in Intellectus may detect any misuse in regards to usage of the system, which subsequently block access of the respective user(s).”
TRG has recently advertised for personnel with experience in telecommunications signaling protocols like SS7, as well as knowledge of “lawful interception,” a term used in the business to refer to the surveillance of communications. The Intellectus technology can be used to follow people’s locations, monitor their phone and text-message records, and identify their Facebook connections, according to images on TRG’s website.
TRG’s spokesman stated that the company has no spying or signaling capabilities.
“The personnel we hire are part of the TRG roadmap for providing the fusion solution to fight crime and terror,” the spokesperson said. “Such a solution requires many different vertical know-how in order to be a market leader.”
The four former TRG employees said that their work with Mitto’s network was done while they were still employed by TRG, and that some of the company’s senior leaders were aware of it.
Two former TRG workers claimed that Gorelik had personally placed special TRG software within Mitto’s computer networks. TRG’s software had established a “signaling connection” between Mitto and specific mobile network operators, they said. These connections are intended for legitimate usage, such as routing calls or messages to phones.
According to the four former TRG employees, TRG’s software may be used to spy on targeted phones for government customers. According to former TRG employees, TRG’s software could send queries to mobile phone networks that would mislead them into handing back a trove of data.
The exact list of customers for the surveillance business is unknown, and we were unable to confirm the purchase of the service by numerous companies cited by former Mitto workers and surveillance industry insiders.
According to prior allegations from the Bureau of Investigative Journalism and Citizen Lab, other monitoring organizations, like the Israeli firm Rayzone and Bulgaria-based Circles, have allegedly sold capabilities that exploit flaws in SS7 protocols to government customers.
According to former Mitto employees, Gorelik’s involvement with the monitoring sector was a well guarded secret. However, one cybersecurity expert in the telecommunications business raised suspicions.
In November of this year, one particular incident jumped out. According to records of telecommunication network activity and a cybersecurity analyst who evaluated them, a sudden flurry of signaling messages, which are typically used to request location information about a specific phone, were targeted at the senior US State Department official. Because of a confidentiality agreement, the analyst spoke on the condition of anonymity.
At least 50 signaling messages were sent at a rate of one or more every second to a U.S. phone network used by the official, seeking information on the person’s mobile phone and its location, according to the documents. According to the documents, the signaling messages were delivered via a succession of unique addresses — or global titles — that were all leased by Mitto.
Mitto’s network was also linked to the attempted surveillance of a person in South East Asia in July 2020, according to the analyst, whose identity was also not revealed. According to the records, the company’s global titles used in Russia, Zambia, Madagascar, and Denmark sent out a coordinated flood of signaling signals targeting the person’s phone. According to the cybersecurity specialist, the communications included a command that can be used to secretly retrieve text messages.
Security systems detected the attempts targeting the State Department official and the person in Southeast Asia as malicious and prevented them, according to the analyst. According to the analyst and the logs, Mitto’s system was caught engaging in identical activities on dozens of other occasions.
The data showed that Mitto’s infrastructure had been used to facilitate signaling attacks all around the world, according to the expert. The analyst did not say which surveillance technology company was engaged in the claimed occurrences, if any were involved at all.
Gorelik’s alleged surveillance activities at Mitto created significant discomfort among those who claim to have been aware of it. The company claims to be the “most trusted” provider of text message services in the industry, and claims to provide those services “free of any potential threats and risks.”
Three former Mitto employees said they left partly because they believed Gorelik’s alleged work in the surveillance sector created a conflict, jeopardizing the company’s capacity to ensure the privacy and security of the messages it handled.
Former employees claimed that some of Gorelik’s actions had generated further concerns.
According to seven former employees, Gorelik was rarely at the company’s offices for more than a year, ending at the beginning of 2017, and sent emails and messages under the name “Ingo Gross.” Former Mitto employees claimed Mitto executives informed them Gorelik couldn’t use his true name for legal reasons that were never revealed to them.
Six former employees claim that Gorelik began spying on some of his coworkers shortly after that, using the company’s access to communications networks to occasionally check his employees’ locations. Gorelik was also known for questioning employees about their non-business use of work computers.
It was then revealed how he was able to determine which websites they were accessing. A group of developers at Mitto’s Berlin office found that in the summer of 2019 Gorelik had installed a spy tool on work PCs that took a screenshot every two minutes. According to Henriette Picot, a Munich-based commercial technology lawyer, it is illegal for companies to install spyware on employee computers unless there is convincing evidence of criminal behavior or major breach of duty.
Mitto said in a statement that it “uses customary and legal techniques” to monitor who accesses its computer network and internet activity on a regular basis or based on solid concerns.
“None of our employees has ever brought to our attention that they feared illegal spyware was being used on their company-provided workstations,” the company wrote.
According to the former employees, Gorelik explained in a staff meeting that he had installed the spy technology because he was concerned about employees disclosing confidential information.
According to Stefan Link, a former senior customer service engineer, Mitto later scaled down its presence in Germany and relocated to Belgrade, Serbia. He stated that he was unaware of the alleged spying service.
Link, who worked for the company in Berlin, said that his position was outsourced to Serbia and that his contract was not extended when it expired in mid-2018. “It was leadership based on fear,” he said, citing the alleged spying on employees’ computers and Gorelik’s occasional berating of colleagues. “And you didn’t know who you could trust.”