September 24, 2025 3 Minute Read

The Secret Service’s takedown in New York shines a light on a type of threat that is technically fascinating and deeply concerning for national security: large-scale cellular interception networks leveraging cell-site simulators (CSS), also known as IMSI catchers or Stingrays.

The news comes as New York City hosts the annual United Nations General Assembly, gathering heads of state from around the world and creating an incredibly target-rich environment for attackers.

What Did the Secret Service Find and How Does This Attack Work?

Agents discovered a web of more than 300 SIM servers and 100,000 SIM cards, built to conduct digital attacks by impersonating legitimate telecommunications infrastructure. At their core, these devices are designed to mimic cell towers. Mobile devices, constantly seeking the strongest cell signal, are lured by the rogue tower having a closer proximity to the device than valid carrier towers.

After tricking nearby phones into connecting, the CSS creates an Adversary-in-the-Middle (AitM) scenario. Attackers can intercept calls and texts, manipulate services, conduct denial-of-service attacks, gather metadata, or create networks for anonymous and encrypted communication—all while remaining invisible to most victims. Once the data is captured, the device might be handed off to a real tower, making detection even more difficult. Tools like these have legitimate uses in law enforcement—but when deployed covertly and at scale, they become weapons for surveillance and sabotage.

How Common Is This?

CSS devices like those found by the Secret Service have a dual history as tools of criminal activity and legitimate law enforcement. As documented by the Cato Institute, law enforcement agencies in at least 23 states, plus federal entities like the FBI and DEA, routinely deploy Stingrays to catch suspects and gather intelligence. These devices originated for military and intelligence use and have since become key tools of domestic police agencies, often acquired under federal grant programs and used in routine investigations, not just high-stakes terrorism or drug cases.

In terms of criminal use, small-scale versions of this technology aren’t new, or even expensive.

I remember a law enforcement raid at DefCon after someone was caught with a DIY Stingray in one of the hotels. Stingray use at DefCon is a very poorly guarded secret. These attacks are far from theoretical: anyone with basic skills and components can assemble a device to intercept local cellular traffic.

However, what sets the New York case apart is its sheer scale and coordination, a network this vast, impacting high-value targets during a major global event, is highly unusual, and the Secret Service suggested nation-state involvement in its announcement.

Back-of-the-envelope math hints at the involvement of a big player as well.

Just a cursory search shows $150 to $250 for a lot of 100 (5G) SIM cards. Even if this actor got a great deal on a bulk buy and we assume $100, that's still $10 million for the 100,000 SIM cards the Secret Service found. The equipment that turns those SIM cards into a CSS, a GSM gateway is used. Another perfunctory look shows similar equipment costing around $2,500 to $3,500. Multiply that by the 300 discovered by the Secret Service, and you can see that this attack is not getting any cheaper.

Figure 1. Secret Service Evidence photo showing multiple GSM gateway devices, each supporting 256 SIM cards. Source: https://www.secretservice.gov/sites/default/files/2025-09/SimBox.jpg

Why Does Scale Matter?

What’s novel here isn’t the technology, it’s the execution. Most Stingray incidents involve single devices or small clusters; a coordinated, city-scale deployment represents an order-of-magnitude leap in ambition and potential impact. This isn’t just eavesdropping on protestors or tracking a criminal suspect; it’s a bid to compromise or disrupt critical infrastructure, possibly during sensitive diplomatic events.

Detecting CSS Attacks

While CSS devices are primarily passive devices, making them very difficult to detect, there are tools available. These tools primarily work by observing cellular control traffic to identify Cell ID consistency, Neighboring Cell Info, and Signal Strength to identify potential rogue CSS devices. Two common tools are Android-IMSI-Catcher-Detector (https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector), and EFFs Rayhunter (https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying). Both are open source, and the supported equipment for Rayhunter can be purchased for less than $20.

Analysis

This incident is a dramatic reminder that while technology is democratized, even hobbyists can dabble with cellular interception (at the risk of federal prison time in the US)—real damage comes from scale, coordination, and intent. The discovery by the Secret Service doesn’t herald the birth of a new threat, but rather the evolution of a familiar one into something capable of shaking the foundations of trust in our communications infrastructure.

Enterprises with mobile footprints should view this as a wake-up call: continuous monitoring and practiced incident response, whether by an internal team or a security service provider like Trustwave’s MDR capabilities, are no longer optional, but essential. With attacks moving from hobbyist trickery to critical-scale infrastructure tampering, the defense must evolve in step.