Toronto Police Bust Vehicle-Mounted SMS Blaster Phishing Operation
Toronto Police arrested three men and laid 44 charges over an alleged SMS blaster operation in the Greater Toronto Area that used rogue cellular base stations mounted in vehicles to impersonate legitimate towers and push phishing texts to nearby phones. Investigators said the campaign, dubbed Project Lighthouse, began drawing scrutiny after suspicious activity was reported in downtown Toronto in November 2025, with searches in Markham and Hamilton later leading to the seizure of multiple custom-built blasters and other electronic devices; two suspects were arrested during the searches and a third later surrendered.
Authorities said the devices forced tens of thousands of phones to connect automatically, enabling spoofed messages that appeared to come from banks, government agencies, and other trusted organizations and directing victims to fraudulent sites designed to steal credentials, passwords, and banking information. Police estimate the scheme caused roughly 13 million network disruptions or instances of mobile network entrapment, temporarily knocking affected devices off legitimate service and potentially blocking access to 911, and described the case as the first known detection of this type of threat in Canada while warning that conventional smishing remains an ongoing risk.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Toronto Police announce three arrests and 44 charges in SMS blaster case
Canadian authorities publicly disclosed that three men had been arrested and charged in what police described as Canada's first known SMS blaster case. Officials said the immediate threat from the seized devices had ended and warned the public about ongoing smishing risks through conventional channels.
Third suspect surrenders to Toronto Police
A third suspect turned himself in to authorities after the March raids. Police said the surrender occurred on April 21.
Police raid Markham and Hamilton locations and seize SMS blasters
On March 31, investigators executed searches in Markham and Hamilton, seizing multiple SMS blaster devices and other electronic equipment. Two suspects were arrested during the operation.
SMS blaster campaign disrupts networks and targets GTA mobile users
Over several months, operators allegedly drove vehicles equipped with rogue cellular base stations through the Greater Toronto Area, sending phishing texts that impersonated trusted organizations. Police said the operation affected tens of thousands of devices and caused roughly 13 million network disruptions, at times interfering with legitimate service and possible access to 911.
Project Lighthouse investigation begins after downtown Toronto reports
Toronto Police began investigating suspected SMS blaster activity in downtown Toronto after reports from a cybersecurity partner and other suspicious-activity alerts. Authorities later named the probe Project Lighthouse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Canadian authorities arrest 3 in SMS blaster phishing scheme | brief | SC Media
scworld.com
Open sourceCanada’s first SMS blaster case leads to three arrests - Help Net Security
helpnetsecurity.com
Open sourceCanada arrests three for operating “SMS blaster” device in Toronto
bleepingcomputer.com
Open sourceMobile SMS blasters in vehicles prowled Canadian streets, causing 13 million network disruptions and infiltrating tens of thousands of devices - blaster blocked 911 calls, stole cellphone data | Tom's Hardware
tomshardware.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users
Infoblox researchers reported a long-running **International Revenue Share Fraud (IRSF)** campaign that uses fake CAPTCHA pages to trick mobile users into sending premium-rate international text messages. Victims are funneled through typosquatted telecom-themed domains, ad-network redirects, and **Traffic Distribution System (TDS)** infrastructure to scam landing pages that present bogus verification steps. Those prompts trigger JavaScript that opens the phone’s SMS app with pre-filled messages and dozens of international numbers, and a single four-step interaction can generate about **60 SMS messages to more than 50 destinations**, costing roughly **$30 or more** per session. Researchers said the operation has been active since at least 2020, uses high-fee destinations including **Azerbaijan, Egypt, and Myanmar**, and has been linked to an affiliate of a European **Click2SMS** network using infrastructure hosted on **AS15699, Adam Ecotech**. Separately, Toronto police arrested three men in what authorities described as Canada’s first criminal case involving a mobile **SMS blaster**, a rogue device that impersonates a cellular tower to push phishing texts and disrupt legitimate service. Investigators said the devices were tracked across the Greater Toronto Area after one was detected in downtown Toronto, and police seized multiple SMS blasters and related equipment. Authorities believe **tens of thousands of phones** connected to the rogue system, contributing to more than **13 million network disruptions** that may have interfered with normal mobile access and even emergency services such as **911**. The cases highlight how attackers are abusing both web lures and fake base-station hardware to scale **smishing** and mobile billing fraud.
May 1, 2026
SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Recent research highlighted systemic security and privacy risks created by **sign-in/authentication links delivered over SMS**, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected **332,000 unique SMS-delivered URLs** extracted from **33 million texts** sent to **30,000+ phone numbers**, and reported that messages from **701 endpoints** on behalf of **177 services** exposed *critical PII*. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems. Greek police separately dismantled a criminal operation in the Athens area that used a **rogue mobile base station** (an “**SMS blaster**”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and **downgraded them from 4G to 2G**, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with **phishing links** used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.
Mar 21, 2026
Mobile and Web Fraud Campaigns Impersonating Public Services to Steal Data
Multiple active fraud and malware operations are abusing *trusted themes and brands* to compromise users, with a heavy emphasis on mobile-first delivery via social engineering. Zimperium reported a **targeted Android spyware** operation delivered through a fake “dating” app promoted via social media and messaging links; once installed, the app requests broad permissions (e.g., SMS, contacts, media) to enable **surveillance and data exfiltration** including messages, location, and credentials. Separately, Zimperium also described an Android campaign that **hides a RAT inside artifacts presented as legitimate AI/ML components** hosted on trusted framework infrastructure, enabling attackers to bypass basic screening and gain persistent device control (data theft, screen capture, remote command execution). In parallel, CybersecurityNews summarized two public-service impersonation campaigns tied to “traffic ticket” lures. In India, attackers are mimicking **RTO e-challan** notifications distributed via WhatsApp and other messaging platforms to push off-store Android apps that steal financial and personal data; the malware reportedly uses a **three-stage modular architecture**, dynamic remote configuration, anti-analysis, and a **custom VPN tunnel** to conceal C2 and exfiltration, while prompting victims for high-risk permissions and to disable battery optimization for persistence. In Canada, a separate operation uses **SEO poisoning** and SMS/ad lures to drive victims to **fake provincial traffic ticket payment portals** (e.g., BC, Ontario, Quebec) that harvest PII and payment card data; Unit 42 attributed the activity to a broader fraud network using a phishing kit with a “waiting room” feature and infrastructure spanning **70+ domains**, including concentration on the `45.156.87.0/24` netblock.
Mar 21, 2026