Mitto CEO charged with selling access to mobile networks for espionage
Mitto co-founder is accused of providing a “surveillance service” that has helped governments track smartphones. The Swiss company sends, among other things, text messages with 2fa verification codes for companies such as Google and Twitter.
Former Mitto employees and customers allege that Mitto’s co-founder and chief operating officer, Ilya Gorelik, sold access to Mitto’s “mobile networks” for surveillance purposes. This is according to a joint study by Bloomberg and the Bureau of Investigative Journalism.
Mitto is a Swiss company founded in 2013. Among other things, the company sends automated text messages with 2fa verification codes for various tech giants. Companies such as Google, Twitter, WhatsApp, LinkedIn and Telegram use Mitto’s services, Bloomberg and the research firm write.
The company has established relationships with telecom providers in hundreds of countries in recent years, according to the two media outlets. Mitto’s partner networks included Vodafone, Telefonica, MTN and Deutsche Telekom, according to company documents viewed by Bloomberg and the agency. In doing so, Mitto signed “deals that enabled the company to send messages to billions of phones in most corners of the world.”
The alleged surveillance activities
However, in addition to the 2fa activities and other services the company offers, Mitto’s networks are also said to have been used to track the physical locations of certain users’ smartphones. According to the investigation, vulnerabilities in the SS7 telecom protocol have been exploited for this purpose, which make it possible, among other things, to trace the physical location of smartphones and to intercept voice and text messages.
Mitto’s co-founder is said to have offered this alleged surveillance service to surveillance companies, which in turn have contracts with ‘government agencies’. Mitto’s customers were not informed of the alleged surveillance activities, the anonymous sources claim.
Two ex-employees of an involved surveillance company claim that the company where they worked installed modified software at Mitto, in collaboration with Gorelik. That software could be used to track the location of smartphones and “in certain cases” also obtain the call logs of specific people. According to the anonymous sources, there was ‘virtually no supervision’ of the alleged surveillance software within the companies.
According to statements by a security analyst and documents viewed by Bloomberg and the Bureau of Investigative Journalism, the software was allegedly deployed in one case on a phone number of a high-ranking US State Department official. It is not known which client would have followed this official.
Mitto’s response
Mitto responds to the two media that the company itself is not involved in the surveillance activities. The company has launched an internal investigation to determine whether their “technology and business operations have been compromised.” If necessary, the company says it will take ‘corrective measures’.
“We are shocked by the allegations against Ilya Gorelik and our company,” Mitto said in a statement. “To be clear, Mitto does not organize or operate a separate company, division or entity that provides surveillance companies with access to telecom infrastructure to secretly locate people through their cell phones, or other illegal acts.” Ilya Gorelik herself has not yet commented on the allegations and Mitto declined to confirm whether Gorelik is still with the company.
Update, 7:06 PM: More details about Mitto’s networks and alleged surveillance activities have been added to the article.