SS7 is Signaling System 7: the protocol suite used to set up and tear down telephone calls, route SMS messages, and manage roaming between cellular networks. Designed in the 1970s for a closed network of trusted telecom operators, with no authentication or encryption between network participants. The structural foundation of cellular roaming and SMS delivery, and the structural vulnerability that lets attackers with SS7 access intercept SMS, locate phones, and conduct the precursor steps of SIM-swap attacks.
What it means in practice
The SS7 trust model assumes every network participant is a legitimate telecom operator. In the modern environment, SS7 access is available through legitimate-telecom procurement (any small operator can obtain SS7 connectivity), gray-market resellers selling capacity to investigation services, and unauthorized access via compromised telecom infrastructure or insider threats. The attack capabilities once SS7 access is obtained: SMS interception (the SMS for a target phone is rerouted to the attacker’s controlled endpoint), location tracking (the cellular network responds to “where is this subscriber” queries with cell-tower information), call interception (less common but documented), and the precursor data for SIM-swap social engineering. The 2017 Office of Personnel Management documented SS7 attacks; subsequent disclosures have shown the capability is operationally available to organized cybercrime, mercenary surveillance services, and nation-state services. The 2024-26 environment continues to feature SS7-based attacks against high-target individuals despite years of awareness in the security community.
Who is targeted, and by whom
Targets cluster by SMS-2FA-protected high-value accounts: financial accounts that still rely on SMS 2FA (the 2024-26 trend has been migration away from SMS but residual exposure remains), cryptocurrency exchange accounts (the documented SIM-swap-cum-SS7 attack pattern producing six-and-seven-figure losses), high-target political and journalist phones where location-tracking matters, and the broader category of any account where SMS interception bypasses the security layer. Operators: organized cybercrime operating SIM-swap-and-drain schemes (with documented coordination through the Snapchat group OG community and equivalent successor communities), commercial surveillance services selling SS7-based location and intercept capability, and nation-state services using SS7 against high-priority targets. The Predaxia operational frame: SS7-based attacks are the structural reason SMS 2FA should be replaced with TOTP, hardware-key, or passkey 2FA on every account that supports the alternative.
What you can change today
Three structural defenses against SS7-class attacks. First, eliminate SMS 2FA on every account that supports an alternative: TOTP (Aegis or 1Password), hardware key (YubiKey for the keystone accounts), or passkey on services that support FIDO2; SMS 2FA remains acceptable only for accounts that offer no alternative, and these accounts should be the first targeted for replacement when alternatives become available. Second, set a port-out PIN with your carrier (the carrier-side passcode required before any SIM swap or port-out can complete; significantly reduces SIM-swap social-engineering effectiveness). Third, awareness that SS7-based location tracking is reachable to the operators who have purchased the capability; for the threat model where this matters, leave the phone home for sensitive meetings, use a burner phone for high-target operational contexts, and reduce the value of the location data by reducing the destinations the device visits.