In the global telecom ecosystem, trust is assumed but rarely verified. Every day, legitimate operators exchange signaling messages across borders to enable roaming. But among these trusted players, a few bad actors quietly pose as “roaming partners” to infiltrate networks. These fake roaming operators aren’t just anomalies—they’re a recurring symptom of how telecom trust can be weaponized.
The Anatomy of a Fake Operator
A fake roaming operator is typically registered as a legitimate-looking Mobile Network Code (MNC) or Mobile Country Code (MCC) entity. On paper, it appears to be an authorized partner; in practice, it operates as a fraudulent signaling endpoint used for reconnaissance, interception, or monetization.
These entities often:
- Acquire or hijack Global Titles (GTs) to send or receive SS7 or Diameter traffic.
- Build minimal network infrastructure (sometimes virtualized) to maintain credibility.
- Establish roaming agreements—real or spoofed—with legitimate carriers.
Once inside the global signaling web, these fake nodes behave like insiders, sending location requests, subscriber data queries, or SMS intercept attempts under the guise of lawful traffic.
Case Study 1: The Phantom GRX Partner
In one incident, a European operator observed unexpected signaling flows from what appeared to be a regional MVNO. Upon inspection, the supposed partner had no physical network and was using a leased GRX connection from a third-party hub.
By crafting legitimate-looking MAP SendRoutingInfo and ProvideSubscriberInfo requests, the attacker was able to continuously track subscriber locations and intercept authentication flows. Because the traffic came from a “known” peer, it bypassed perimeter filters until cross-correlation exposed the abnormal request frequency.
Case Study 2: The Revenue Harvest Scheme
Another scenario involved a fake operator exploiting roaming test SIMs to simulate traffic patterns that triggered revenue-sharing fraud. By generating SMS and data sessions between its own IMSI range and compromised partners, it inflated interconnect settlements while exfiltrating call metadata.
Here, the abuse wasn’t about surveillance—it was about profit. Still, the attack used the same foundation: trust between operators and weak identity validation within roaming signaling exchanges.
Case Study 3: The Silent Listener
A particularly stealthy campaign involved an operator identifier allocated in a small jurisdiction. It appeared inactive but was still routed in global signaling directories (GT and SCCP). Threat actors used it to passively listen to MAP dialogues between real operators, gathering intelligence on numbering plans and network topology.
No malware. No breach. Just quiet, lawful-looking traffic flowing through a ghost network.
Why These Attacks Persist
The global signaling fabric—SS7, Diameter, and GTP—is built on assumed legitimacy. The entire roaming ecosystem depends on bilateral trust and slow-moving governance. Fraudulent operators exploit:
- Lack of real-time validation for new roaming entities.
- Loose filtering policies on legacy SS7 interconnects.
- Poorly maintained GT registries and outdated routing tables.
As networks evolve toward 5G, fake operators continue to exploit backward-compatible interfaces and shared roaming hubs, keeping the attack surface wide open.
Lessons from the Field
Fake roaming operators demonstrate that network trust is not a control mechanism—it’s a vulnerability. Effective mitigation starts with:
- Continuous monitoring of signaling peers and message patterns.
- Periodic GT and MNC/MCC validation.
- Cross-protocol anomaly detection across SS7, Diameter, and GTP.
- Collaboration between operators, regulators, and threat intelligence providers.
The truth is simple: until trust becomes verifiable, fake operators will remain part of the telecom landscape.
