Cache of Devices Capable of Crashing Cell Network Is Found in NYC
Posted3 months agoActive3 months ago
nytimes.comTechstoryHigh profile
skepticalmixed
Debate
80/100
Telecom SecuritySim Card FraudCybersecurity
Key topics
Telecom Security
Sim Card Fraud
Cybersecurity
The US Secret Service discovered a large cache of devices capable of crashing the cell network in NYC, sparking debate about the true purpose and implications of the operation.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
18m
Peak period
126
0-12h
Avg / period
26.7
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 23, 2025 at 7:29 AM EDT
3 months ago
Step 01 - 02First comment
Sep 23, 2025 at 7:47 AM EDT
18m after posting
Step 02 - 03Peak activity
126 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 29, 2025 at 2:28 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45345514Type: storyLast synced: 11/20/2025, 8:23:06 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
No mention of arrests or surveillance of any site to try and apprehend anyone related.
https://www.cnn.com/2025/09/23/us/swatting-investigation-ser...
EDIT:
While the headline on NYT highlights an attack on the towers for disruption, the CNN piece gives more weight to two other uses: (1) criminal communication network and (2) swatting.
I think those two make sense. The SIMs would probably hold US numbers and would appear authentic for accessing the US operators' networks.
It’s a cell tower jammer and terrorism multiplier. Can’t call or text. It will probably disturb internet service as well. Include a few radio jammers for local police and a few satellite antennas you could create an opportunity then a panic to cover your tracks getting out.
When you think about the sheer scale of monitoring every cell phone in the country it probably doesn't stand out nearly as much as you would expect.
The UK has criminalized possessing or using SIM farms or related gear in response to these popping up with some regularity. But the operators are pretty clever and know how to hide. I've been thinking about how easy it would be to detect these when you're a telco and I think the signature is unique enough that it should be possible to detect which SIMs are part of a farm, even if you don't know the exact location of the farm.
Whoever did this likely isn't all that happy that their carefully created infra was used to harass officials, which most likely is the single reason this operation got uncovered in the first place. If it would have just been used for low level crime who knows how long they could have continued to do this.
Note that these are not unique to NYC or even to the United States, they've been found in other countries as well, the UK has now criminalized possession or operation of these (but the fines are so low that I don't think it will make much difference).
Uh. No it isn’t. SNR between 5 or so masts gives you the exact location of any cell device. This is how $oldemployer used to track them
IIRC modern cell towers use cool tricks to send stuff for a particular phone to only where that phone is so they can send more total data. Can this not be turned into a precomputed map by taking a test phone everywhere and seeing what settings the tower picks to talk to it?
FYI: That was available back in 2022 as standard. Now it could be even better. :P
I'm not saying it can't be done, clearly it can be done otherwise this article wouldn't exist. But it is not quite as easy as pointing a magic wand (aka an antenna) at a highrise and saying '14th floor, apartment on the North-West corner', though that would obviously make for good cinema.
Subpoena the power, water & gas company, and look at apartments that have unusual power usage, coupled with almost zero water & gas usage. Especially look at apartments that don't have a spike in power usage in the morning & evening that corresponds to people having a regular commute.
I'm not sure how much power this equipment draws at idle - I'm assuming it's more idle at night, no need to send scammy SMS messages at 3am Eastern - but I'd wager you could track that.
Granted, it's not fast, but depending on how quickly the companies bend over backward for such a request & how good your interns are at using Excel, you might be able to get this done before sundown.
For those who have not seen it before, Waterwitch is on page 43 of the 2013 catalog here [1], and is described as "Hand held finishing tool used for geolocating targeted handsets in the field". It did seem to require, if I'm reading right, that the target be connected to a malicious GSM router called "Typhon" (page 42).
[1] https://www.cryptomuseum.com/covert/bugs/nsaant/files/NSA_AN...
Portable spectrum analyzers are regularly used to identify interference in urban environments. Even a damaged cable coax line on the street can interfere with cellular signals.
Even before doing that, a handheld Yagi in the parking lot will easily narrow it down to a couple of floors in a specific quadrant of the building.
But when people think of beam forming as “pointing a beam at a phone” that’s kinda thinking of the problem backwards. Modems beam form by looking at the various bits of signal delay coming down multiple antenna, and computing a transform function that will effectively result in the signal it sends mimicking those delays and thus forming a beam pointing in the opposite direction of the incoming signal.
But the modem has no idea what physical direction that beam is pointing in, and doesn’t care. It just know how to analyse an incoming signal to effectively mask the inputs from different antenna in order to extract a very weak signal, by taking advantage of constructive interference between a signal received on multiple antenna, and in turn invert that function to create an equivalently strong constructive interference pattern at the source of the signal when replying.
Most important the modem has no idea what the actual signal path was, it could have bounced of several buildings, been channeled by some random bit of metal acting as a wave guide, or any other manner of funky interference that literally any physical object creates. All it knows is that is a viable signal path must exist (because it received something), and it can compute a function to send a return signal back down the same path. But it’s very hard to turn that abstract signal path function the modem understands, into an actual physical direction. Not without doing a load of extra calibration and sampling work to understand exactly how all the antenna the modem uses interact with each other, which nobody does, because that information won’t improve the cell towers performance.
If you have MIMO, i.e., multiple signal streams, it will be more like an 4x4 matrix instead (how loud should radio X shout signal Y), and you'll not only optimize for “signal 1 should be the loudest possible at receiver 1” but _also_ “signal 1 should be at the _most quiet_ possible at receiver 2”.
The fact that cheap consumer devices are able to do this fairly reliably (one could even say it's pedestrian) at near-gigabit speeds says something about how insane our level of technology is.
It's also amusing to see lots of people state with great authority how simple it is to track down a transmitter, when in fact they've probably never so much as participated in a fox hunt, which can get quite interesting at higher frequencies and when not in open field.
If the reporting around this is accurate, sounds like someone(s) was swatting through these, which brought the attention needed to find this group.
Because - depending on cell tower coverage and the antennas installed on it - the degree of precision is far too low to be useful. In rural installations and the worst case, aka a tower with a dipole antenna on a mountaintop, at 900 MHz the coverage will be around 35 km. Segmented antennas just limit the section of the circle where the endpoints are. In suburban areas, coverage is usually 10-20 km, and urban areas it's 5km and less.
Now you know which cell and cell section the user is in... but to actually pinpoint the user? That takes some more work. First, you need a few more towers that the user can reach for triangulation - the more the better - but if the operator of such a setup is even remotely clever and the hardware/firmware supports it, they will have locked the devices to only connect to a single tower (you can see a map at [1] that shows the IDs). If the operator didn't do that but the site is too remote to achieve triangulation, you might need to drive around in a van and use an IMSI catcher, aka a phone tower emulator, and hope that eventually the site's devices register at it. That, however, is a lot of awful work, and is often not legal for police authorities, only for secret services.
Now you might ask yourself, what about 911, how can they locate callers precisely? The thing is... it depends. Landlines and VoIP lines are usually mapped to a specific address (which is why VoIP providers give you an explicit warning that, if you do not keep that record up to date, 911 calls will be misrouted!), so that's trivial. Mobile phone callers however, until a few years ago the degree of precision was exactly what I just described - it completely depended on celltower coverage, with the only caveat that a phone will connect to another operator if it shows a stronger signal for 911 calls. Only then, Android introduced Emergency Location Service [2] and Apple introduced Hybridized Emergency Location [3] - these work with the sensors on the phone, most notably GPS/GLONASS/Beidou, but also SSIDs of nearby WiFi APs and specific Bluetooth beacons. Downside of that is, of course, the 911 dispatch needs an integration with Apple and Google's services, users can disable it for privacy reasons, and older phones won't have anything - so in these cases, 911 dispatchers are straight out of luck and again reduced to the above range of precision.
[1] https://opencellid.org/
[2] https://www.android.com/safety/emergency-help/emergency-loca...
[3] https://www.apple.com/newsroom/2018/06/apple-ios-12-securely...
The last three places I've lived, I'd never seen the residents of fully half the apartments on my floor. They could have been jam packed with SIM farms, or abandoned tigers, or dead hookers in chest freezers for all I or anyone else in the building knew or cared about.
An apartment where nobody bothers their neighbors or the super, but keeps the rent checks coming, is the absolute best case scenario for everyone involved.
And again - if an unattended apartment is raided, there's nobody there to drop names. You lose the investment, but that's likely a lesser problem than worrying about what Kasim is going to tell the cops once the handcuffs go on.
Assuming you have carrier diversity on your sims, you could likely manage good enough backhaul over the sims for the control layer. At least for grey market SMS; grey market voip might need more consistent networking. Grey market VPN, eh... variable conditions might help customer traffic be considered mobile.
HP if memory serves me right. Around 20 years ago.
> Investigators found the SIM cards and servers in August at several locations within a 35-mile radius of the United Nations headquarters. The discovery followed a monthslong investigation into what the agency described as anonymous “telephonic threats” made to three high-level U.S. government officials this spring — one official in the Secret Service and two who work at the White House, one of the officials said.
So 100k SIM cards scattered around the middle of New York City.
Probably an egress point for scammers and bot farms, and the speculation about local disruptions isn't grounded in anything other than scale?
I've used hardware a decent amount larger than what's pictured in the OP for work. But what I was using wasn't just for SMS. So I needed more sophisticated modems. What they're using looks like a bunch of 64 port modem banks exclusively for SMS.
(Oh wait if you mean the devices for what's in the article you linked, then yea, those I'm sure are much smaller and quite different.)
But we had enough volume that we could typically get improvements on routing by asking aggregators about difficult destinations (unless the difficulty was coming intentionally from the destination carrier). The aggregators do sometimes use grey routes from SIM farms. Squishyness around terms of use and accounting would have been an issue too, we would not have been able to fly under the radar on 'unlimited messaging'
Another potential use could be if you needed to send a lot of alerts to your employees/customers in a short period. Most aggregators have rate limits, and so do carriers... if you're a big customer, you can probably get limits raised; if you only have an occasional need, you might prefer to have a large number of low cost SIMs.
More likely an egress point for cheap VOIP routing.
This is a to take advantage of "free calls to North America" provided by MVNOs, and free < cheap. Twilio starts at $0.01/min; 1 cent/minute x 200 lines results in a delta of $2.8k per day. I'm assuming a 20% utilization rate[1] on a device that holds 1000 SIMs
Further, it's a way to bypass STIR/SHAKEN requirements for a less-than-legitimate VOIP termination operations, which can attract paying customers that want to evade detection, typically criminal endeavors.
1. 20% utilization is pretty generous, but even if its 2%, not using Twilio is profitable at scale.
Round-robining around some unlim SIM cards to stay below the radar will be cheaper.
> "several locations within a 35-mile radius of the United Nations headquarters"
That's the entirety of New York City!
edit to add: This very weird part was actually lifted from the USSS press release,
> "These devices were concentrated within 35 miles of the global meeting of the United Nations General Assembly now underway in New York City."
https://www.secretservice.gov/newsroom/releases/2025/09/us-s... ("U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area")
The article:
https://www.cnn.com/2025/09/23/us/swatting-investigation-ser...
The article mentions a "circle around NYC's cellular network infrastructure".
Looking at a map, a 35 mile as-the-crow-flies (and as the cell network signal flies) radius of the U.N. Secretariat building almost gets one to Lake Hopatcong, New Jersey, in one direction and past Stamford, Connecticut, in another.
The SIM cards come from cheap MVNOs that have dealer arrangements for cheap or free first month activations, then they just set up a handful of SIM boxes and a residential Internet connection back to the mothership (like they did at the captured house with the white Verizon 5G Home router just casually sitting on the floor next to the units).
Similarly, I’ve had some friends on US MVNOs themselves that have access to “free” international calling, yet every time they call (the same) international number the receiving party gets a wildly different caller ID from a wildly different country each time (Poland, Moldova, etc). Also dodgy SIM boxes!
Or grey-route bulk messaging and SMS OTP bypass so actors can register throwaway accounts on Signal/WhatsApp/Telegram, social platforms, fintech, crypto etc. then burn the numbers after use.
You need 100k SIMs to defeat per-SIM rate/behavior caps, receive OTPs for mass account creation and run thousands of campaigns/conversations in parallel while keeping each SIM's pattern below carrier detection thresholds.
It's not about the UN.
NYC is a prime market for "local presence" numbers (212/917/646 etc.), which boosts answer rates and trust for scams, impersonation, mass disinfo campaigns.
The real reason this shit is in NYC is because the number of tower cells is huge due to population density. It makes having a few hundred to thousand devices in one office a bit more viable.
Most are spoofed. Many, from local Long Island exchanges.
All the spoofed calls just reuse existing numbers. When I first started getting them, I called a couple, until I figured it out. I usually got some poor, confused schlub.
I’ve gotten some calls, myself, and have been said poor, confused schlub.
Yeah, the last time I asked for a 212 number from Verizon Wireless the guy literally laughed at me.
Skype was like that for a long time
There are schools everywhere, usually in places where there are lots of other amenities like shops, and doctors, and pubs.
So you mean... like, these are the exit points into the "legitimate" telephone network for, say, those random MedAlert scam calls I keep getting from numbers scattered all over North America? Or if not, what does "VoIP" mean here exactly?
Somehow I've missed this entire phenomenon...
Also, if the information would not exculpate the defendant, and the prosecution won't introduce it at trial as evidence of guilt, then the information can be withheld.
But I should mention the bad guys are trying to get grand jury assembled that would prosecute James Comey. Does that count as 'criminal trial process'? https://www.nytimes.com/2025/09/24/us/politics/james-comey-i...
I'm not a lawyer, but this corruption will be getting worse. That distinct is relevant still but for how long?
Now that Comey's been indicted, the trial process will begin, assuming he doesn't plea out (and I don't think he will). The uphill battle for the prosecution now begins.
Same year as the Phineas and Ferb reboot. Coincidence???
But the lyrics are still stuck in my mind, "The tri state area was the bi state area with an adjacent area, right over there".
I'm presuming this discovery was near the outer perimiter of that circle, because otherwise presumably they'd have quoted a smaller, scarier number.
I've used this before when I need to create an IG for a work project without wanting to link it to a personal number:
https://www.textverified.com/verifications
Lots of interesting discussions about cell phone networks lately.
Fake cell phone towers ICE is using to track people:
https://www.forbes.com/sites/the-wiretap/2025/09/09/how-ice-...
GrapheneOS (de-googled android) and FLX1s (pure Linux phone):
https://news.ycombinator.com/item?id=45312326
My question is: are any of these alternatives helpful against these novel attacks? If you are on a phone using a network vanilla provider like tmobile or otherwise, is there any way to prevent your phone from trying to connect to a fake network?
If I controlled the entire cell phone stack, like I would with FLX1s, then could I have something like the ssh initial connection signature:
Once I accept that sshd endpoint, I know my ssh client will protect me if the sshd changes and I'm experiencing a MITM.It would be a bit of a pain to accept a new cell tower when I'm in a new city, but I could imagine syncing a whitelisted trusted set of cell phone towers (ha, when I think of that the whole idea of "trusted" is laughable). But, at least I would have more insight into when I am getting surveilled. And, I could say "not today ICE!" or "tmobile, idk, please give me my HN fix, I don't even care if you know I'm aware my government is tracking me as I pay the service fee!" I bet a whitelist hosted on github would be faster to update than tmobile installing new cell phone towers so privacy enthusiasts could enable their own safety.
Prevent what exactly?
> If you are on a phone using a network vanilla provider like tmobile or otherwise, is there any way to prevent your phone from trying to connect to a fake network?
LTE and beyond have mutual authentication. Your phone will attach to any network for an emergency call, but attachment to LTE requires the network trusts your sim and your sim trusts the network. [1] No trust on first use necessary, because the SIM includes its private keys and public keys for the network.
[1] https://www.sharetechnote.com/html/Handbook_LTE_Authenticati...
(The country currently committing genocide with us tax payer bought weapons).
> The agency did not provide details about the threats made to the three officials, but Mr. McCool described some as “fraudulent calls.”
> Investigators have been going through the data on SIM cards that were part of the network, including calls, texts and browser history. Mr. McCool said they expected to find that other senior government officials had also been targeted in the operation.
The article goes out of its way to imply a link between this farm and the threats, but doesn't actually explicitly make that link.
The CNN article covering the same story does the same thing: https://www.cnn.com/2025/09/23/us/swatting-investigation-ser...
The Secret Service statement, however, does make that claim explicitly in the first sentence: https://www.secretservice.gov/newsroom/releases/2025/09/us-s...
The pictures of the confiscated equipment is every phone phreaks orgiastic wet dreams.
It is interesting that these sorts of things are going on in the first world, and until discovered anyone vocalizing suspicions of such a thing would be regarded as a paranoid delusional crackpot.
140 more comments available on Hacker News