One of the top executives of a gargantuan texting contractor has been accused of running a secret surveillance business, the likes of which sold access to the company’s partner networks so that governments could spy on various users.
A joint investigation from Bloomberg and the Bureau of Investigative Journalism recently uncovered allegations aimed at Ilja Gorelik, co-founder and chief operating officer of Swiss texting firm Mitto AG.
Calling itself a provider of “omnichannel messaging solutions,” Mitto acts as a third-party SMS contractor for some of the tech industry’s biggest companies. It provides promotional services via text — helping blast out advertisements and other kinds of notifications to mobile phones all over the world. It also enables secure login and two-factor authentication for various platforms through security code texting. In addition to having relationships with dozens of telecoms, the company has reportedly contracted with the likes of Twitter, Google, WhatsApp, Telegram, TikTok, Instagram, LinkedIn, and Slack, among others. It reportedly delivers texts to billions of phones all over the world, including in places as far-flung as Afghanistan and Iran.
However, according to new reporting, the company’s COO, Gorelik, has been running a secret side-business in which he sells access to Mitto’s networks to private surveillance companies, which then sell that access to government spy agencies — allowing them to triangulate and track specific users.
Bloomberg spoke to four former Mitto employees, as well as to security firm contractors that claim to have worked with Gorelik, all of whom apparently confirmed the executive’s activity.
The access to global phone networks that do business with Mitto is said to have been provided through vulnerabilities in a telecom protocol known as SS7. The insecurity of the protocol is fairly well-known. The exploitation of SS7 could allow an attacker to track the physical location of specific phones as well as to redirect text messages and phone calls, Bloomberg reports.
Former employees of at least one company — the Cyprus-based cybersecurity firm TRG Research and Development — went on record to admit that they procured access to Mitto’s networks through Gorelik. The former employees allege that Gorelik personally installed TRG surveillance software on Mitto’s network, enabling clandestine access to its network. According to them, there was “virtually no oversight” of the alleged spying being conducted using Mitto’s network. TRG, which sells data to government agencies for the purposes of fighting crime and “terror,” denied any official relationship with Mitto or Gorelik.
This seems to have gone on for years. According to the whistleblowers, Gorelik first started selling access to Mitto’s networks in 2017. The spying is alleged to have included a 2019 incident that involved the targeting of at least one high-level U.S. State Department official.
If true, these allegations are yet another example of the murky, unethical reaches of the surveillance industry — the likes of which is really having a moment in terms of media coverage.
The Bloomberg report asserts that there is no evidence that any of Mitto’s tech clients (i.e., Google, Twitter, etc.) have been compromised. Gorelik, meanwhile, has denied the allegations, as has Mitto. A representative for Mitto apparently told Bloomberg that it is currently conducting an investigation “to determine if our technology and business has been compromised.”
We reached out to the company with multiple requests for comment but haven’t heard back. We will update this story if they respond.