Adversaries bought location data from ad brokers. Then they used it to target US troops in combat zones.

The confirmation is the first official acknowledgment from the Pentagon that commercial smartphone location data has been used to direct attacks against US troops in theater. No system was breached. No credential was phished. The transaction was legal, conducted through the same advertising data ecosystem that supplies retailers, app developers, and marketing platforms with continuous streams of GPS coordinates. The threat did not exploit a flaw. It exploited the design.

What happened

In April 2026, Senator Ron Wyden wrote to the Pentagon asking specific questions about the use of commercial location data as a threat vector against deployed military personnel. On April 14, CENTCOM responded. The letter, which Reuters obtained and reported on May 28, stated that the command had “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater.” The Threat Fusion Cell had identified, tracked, and disseminated these threats through the USCENTCOM Threat Working Group to component force protection personnel.

CENTCOM’s area of responsibility includes the Gulf, where US forces have been engaged against Iranian military assets over the Strait of Hormuz. At least 13 American service members have been killed and roughly 400 wounded in those operations. The letter did not describe specific incidents. What it confirmed was a pattern: adversaries are buying location data on the open market and using it to track American troops.

What commercial location data is

Every smartphone running apps with location permissions generates a continuous stream of GPS coordinates. Those coordinates are collected by the apps, aggregated by data brokers, and sold. The buyers are usually advertisers who use location history to serve targeted ads. The same data is available to anyone willing to pay, in volumes large enough to be statistically useful and granular enough to be operationally useful.

A broker dataset does not know whether the device it is tracking belongs to a civilian, a contractor, or a Special Forces operator. It tracks the device. The device goes where the person goes. The person’s pattern of life, their base location, their daily movements, their travel to forward operating positions, all of it becomes a purchasable product. Senator Wyden’s office described the threat plainly in the letter that prompted the CENTCOM response: commercial location data can be used to identify where US troops congregate and their pattern of life, which can then be exploited to direct missiles, drones, and roadside bombs, as well as for counterintelligence purposes.

That sentence describes what happened. It also describes what has been technically possible for a decade. This is not a new problem. It is a newly confirmed one.

As far back as 2016, a US defense contractor showed that commercially available location data could be used to track special operations forces from their home bases in the United States to a sensitive staging post in Syria. The account was first reported by the Wall Street Journal. No action was taken at the policy level. In 2024, Wired mapped detailed movements at US installations in Germany, working with two German news organizations and billions of location coordinates purchased from a single data broker. The dataset showed exactly who was present at eleven military and intelligence sites, when they arrived, and when they left. A GAO report published in January 2026 confirmed that military OPSEC training did not address commercial data brokers. Soldiers were trained on what not to post on social media. Nobody trained them on the apps running in the background of the phone in their pocket.

The CENTCOM letter is not a warning about a future threat. It is a confirmation of a present one.

How the targeting works

A commercially purchased dataset covering a region where US forces operate lets an adversary identify clusters of devices that appear at military installations and then move together to forward positions. Those clusters behave differently from civilian devices. They travel in patterns consistent with military operations. They appear at times and in locations that correlate with troop movements. The adversary does not need a name. They need to know that a cluster of devices moved from a known base to a specific grid reference at a specific time. That is enough to direct a drone, calibrate a mortar, or time an IED.

The advertising ID attached to each smartphone is the thread that makes this possible. It is a unique persistent identifier that ties every location ping to a single device across every app that device runs. Disabling it breaks the thread. It does not eliminate location data collection. It removes the identifier that lets a broker stitch a continuous history into a single, sellable profile.

Lawmakers responding to the CENTCOM letter recommended specific actions: disabling advertising IDs on all DoD-issued smartphones, ordering service members to disable them on personal phones taken onto military installations or on overseas deployments, and removing Google Chrome from DoD computers and smartphones on the grounds that it is designed to facilitate data collection for advertising purposes. A response is due from the Pentagon by June 26. The pattern here is the same one we documented two weeks earlier in the supply chain attack against developer tooling: the legitimate channel was the attack surface, the routine transaction was the exploit, and nothing about either incident required a flaw to work.

What this means beyond the battlefield

The same data broker ecosystem that sells location histories on US troops sells location histories on everyone. The threat model that applies to a soldier in theater is the same threat model that applies to anyone whose movements are operationally sensitive.

A journalist whose movements between sources are logged by a navigation app. An NGO worker whose route through a conflict zone is recorded by a weather app. A lawyer whose visits to clients in detention facilities are tracked by a fitness app. The household of a deployed service member whose OPSEC depends on the family at home, not just the soldier in theater. None of them consented to building a targeting package. All of them built one anyway.

The military context makes the consequence visible in a way that civilian surveillance rarely does. When commercially available location data contributes to a strike on a forward position, the causal chain is short and the outcome is measurable. When the same data is used to surveil a journalist’s source relationships, profile an NGO worker’s operational patterns, or reconstruct an attorney’s client meetings, the causal chain is longer and the outcome is less visible. The data is the same. The mechanism is the same. The exposure is the same.

Before your phone becomes a liability

On iPhone, open Settings, then Privacy & Security, then Tracking. Disable Allow Apps to Request to Track. This prevents apps from accessing the advertising identifier and is the single most consequential setting on the device for this threat.

On Android, open Settings, then Google, then Ads. Select Delete advertising ID. On Android 12 and above, this replaces the persistent identifier with a string of zeros that cannot be linked across apps or sessions. On older builds, reset the ID and disable personalised ads as a baseline; the protection is partial but meaningful.

On both platforms, audit which apps have location access set to Always. Any app with Always access is logging your movements continuously, regardless of whether the app is open. Set anything that does not require continuous location to While Using or Never. The list of apps that genuinely need Always access is shorter than people assume. Maps does not need it. Weather does not need it. A fitness tracker only needs it while you are actually exercising.

These steps reduce your exposure. They do not eliminate it. Mobile carriers log cell tower connections regardless of any app permission. Apps that access the network can infer approximate location from your IP. The baseline exposure of carrying a smartphone is not zero, and any guide that claims otherwise is selling something. What disabling the advertising ID does is remove the single identifier that ties your location history together into a coherent, purchasable profile. That is a meaningful change in the threat model, not a complete defence.

Frequently asked questions

Was this data stolen from the military?

No. The location data was purchased through commercial data brokers. It was collected from smartphones running apps with location permissions and sold through the standard advertising data ecosystem. No military systems were breached. The data was generated by the devices of military personnel and became commercially available through the same channels that any advertiser can access.

Which apps are most likely to be selling this data?

Any free app that requests location permission. Navigation, weather, fitness, retail, and gaming categories are the most consistent sources, but the list is much longer. An app’s privacy policy typically discloses third-party data sharing in language designed to be easy to overlook. The practical approach is to deny Always location access to every app that does not need continuous location to function, and to assume that any app with Always access is contributing to a broker dataset.

Does this affect military family members at home?

Yes. A family member whose device is present at a military installation, travels to a base for a visit, or whose location history correlates with a service member’s home address generates a data point that can be used to identify and locate that service member indirectly. The OPSEC implications of family members’ devices are not currently addressed in standard military family briefings, which is a gap the GAO has flagged repeatedly.

What is the advertising ID and why does it matter?

The advertising ID is a unique persistent identifier assigned to each smartphone by the operating system. It lets data brokers link location pings from different apps into a single continuous history tied to one device. Disabling it means location data from different apps cannot be combined into a coherent profile. It is the single most effective individual control. It will not stop collection, but it breaks the most useful identifier brokers have.

---

The data was not stolen. It was generated by apps people chose to install, aggregated by brokers, and sold to whoever paid. One category of buyer used it to direct attacks on American troops. The transaction was entirely legal. That is the part that does not get easier to explain the more you look at it.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.