The Infrastructure-as-Weapon Problem
On April 23, 2026, Citizen Lab's Bad Connection report identified something Israel's Defense Export Control Agency was never designed to see: a surveillance operation that doesn't export software. It routes tracking queries through legitimate mobile network infrastructure instead. The report documented two distinct campaigns — designated STA1 and STA2 — exploiting both legacy SS7 signaling and modern 4G Diameter protocols, with Israel's 019Mobile carrier (operating under the brand Telzar 019, Israel's sole airport roaming provider) appearing as a routing node in Diameter-based location tracking that reached targets in at least nine countries.
The technical mechanism is elegant in its evasion. Rather than deploying spyware to a target device — the model that made NSO Group's Pegasus infamous — these campaigns exploit SS7 and Diameter inter-operator signaling, the unglamorous plumbing that lets your phone work while roaming abroad. By leasing "Global Titles" (unique telecom network identifiers) from operators, surveillance vendors inject location queries into the global signaling fabric, where they emerge looking like ordinary carrier traffic. Switzerland-based Fink Telecom Services reportedly leased such identifiers to Israeli surveillance firms including Cognyte (developer of the SkyLock SS7 tracking platform) and Rayzone Group, effectively laundering tracking traffic through a European intermediary to bypass geolocation-based security filters.
The Documented Scale
STA1 executed more than 500 location-tracking attempts since November 2022, rotating through eleven operator identities across nine countries including Bangladesh, Norway, South Africa, Sweden, Thailand, and Montenegro. STA2, using a Global Title attributed to Sweden-based Telenabler AB, generated more than 1,700 SS7 attacks between October 2023 and April 2025 — 92% of that traffic linked directly to device location queries. Across both campaigns and what Citizen Lab described as a universe of millions of potential attacks, researchers documented more than 15,700 covert location-tracking attempts routed through Israeli carrier infrastructure spanning at least ten countries. A SIMjacker variant completed the toolkit: invisible SMS commands exploiting a legacy SIM Toolkit application called the S@T browser turned targeted handsets into silent beacons, exfiltrating cell ID and location data with no trace left on the SIM card.
Targets, based on the profile of affected networks and prior Citizen Lab research on these vendors, skewed toward journalists, diplomats, and activists rather than mass populations — a pattern consistent with commercial intelligence platforms sold to government clients.
The Steelman Case for Israel's Existing Framework
Before characterizing Israel's regulatory response as negligence, consider what has been done. Following U.S. sanctions against NSO Group and Candiru in November 2021 and diplomatic pressure from France over alleged Pegasus targeting of President Macron, Israel cut its approved cyberweapons export destinations from 102 countries to 37 — primarily democratic governments and Five Eyes members. The Defense Export Control Agency (DECA) introduced updated end-user declarations requiring buyers of counter-terrorism and investigative systems to commit to documented lawful use. In March 2026, a proposed dual-use export control bill expanded licensing requirements to cover brokering, transshipment, and technical assistance, not just direct product exports.
Targeted surveillance of genuine security threats is a legitimate state function. Every democracy with a serious intelligence apparatus exercises some version of it. The question is not whether such tools should exist but whether the infrastructure that enables them operates with any accountability at all.
Why the Framework Still Fails
DECA's jurisdiction is defined around product exports and marketing licenses — not network-layer access arrangements. A company that obtains a Global Title from a third-country intermediary and routes SS7 queries through an Israeli carrier's infrastructure has not exported anything. It has accessed infrastructure. DECA has no authority over that transaction, and no Israeli Communications Ministry mandate requires carriers to detect, log, or report anomalous signaling volumes.
019Mobile's response to Citizen Lab illustrates the gap precisely. The carrier's head of security denied any involvement, noting 019Mobile is a virtual operator using Partner Communications' radio network, and that messages in its name "would have been rejected." That response may be internally consistent. But Citizen Lab confirmed via BGP routing analysis that 019Mobile's associated ASN appeared as an originating network in Diameter surveillance traffic. The carrier's stated controls and its actual network behavior diverged — and no Israeli authority was watching.
This is not primarily a failure of 019Mobile. It is a regulatory vacuum: no GSMA-mandated firewall audit, no mandatory SS7/Diameter anomaly detection, no reporting obligation to any Israeli authority.
Contrast this with the UK. In April 2025, Ofcom published its final statement on Global Titles and Mobile Network Security, banning operators from leasing Global Titles to third parties and imposing binding obligations on number-range holders to audit sub-allocated traffic. That decision came after more than a decade of investigative reporting identifying UK-registered Global Titles as the largest single source of malicious SS7 traffic globally. It is a concrete, enforceable, network-layer rule. Israel has no equivalent.
The Accountability Architecture Israel Needs
The fix is not another export-control tier layered atop DECA. It requires separating the surveillance-vendor question from the telecom-infrastructure question, which have different regulators, different legal frameworks, and different accountability levers.
Three reforms would close the gap. First, Israel's Communications Ministry should mandate GSMA FS.11 and FS.19 network security controls as a licensing condition for any operator with international roaming agreements — audited obligations, not voluntary compliance. Second, carriers should face quarterly reporting requirements on anomalous signaling-traffic volumes, benchmarked against peer-operator comparisons, submitted to the Ministry. Third, Israel's Privacy Authority — which is gaining broader investigative jurisdiction under reform bills advancing in the Knesset — should have explicit statutory authority to audit carriers whose infrastructure appears in credible third-party surveillance documentation.
None of this requires Israel to exit the global cybersecurity industry. It requires applying to domestic telecom governance the same proportionate discipline it has, fitfully, begun applying to product exports. Four years of documented tracking campaigns using Israeli carrier addresses, and no Israeli regulatory body has claimed jurisdiction over any of it. Bad Connection is not just a technical finding. It is an accountability audit — and Israel's institutions have not yet shown up to answer it.