Largest Cyberattack on Mobile Phone Infrastructure in U.S. History

U.S. Secret Service Dismantles Imminent Telecommunications Threat in New York Tristate Area

Primary Category: News / Crimes & Criminals

Authors:
•  SCARS Editorial Team – Society of Citizens Against Relationship Scams Inc.
•  Portions by United States Secret Service

About This Article

The U.S. Secret Service disrupted an imminent telecommunications threat in the New York tristate area by seizing a dispersed network of more than 300 SIM servers and 100,000 SIM cards used to place anonymous threats against senior U.S. officials. Investigators say the hardware could disable cell towers, enable denial of service attacks, and provide encrypted channels for criminal or nation-state actors. Early analysis points to contacts between foreign operatives and individuals already known to federal authorities. Devices were clustered within 35 miles of the United Nations General Assembly, prompting urgent action. The Advanced Threat Interdiction Unit is leading the ongoing probe with support from DHS, DOJ, ODNI, NYPD, and local partners.

U.S. Secret Service Dismantles Imminent Mobile Phone Cyberattack & Telecommunications Threat in New York Tristate Area

On September 23rd, 2025, the U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials, which represented an imminent threat to the agency’s protective operations.

This protective intelligence investigation led to the discovery of more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites.

In addition to carrying out anonymous telephonic threats, these devices could be used to conduct a wide range of telecommunications attacks. This includes disabling cell phone towers, enabling denial of services attacks, and facilitating anonymous, encrypted communication between potential threat actors and criminal enterprises.

While forensic examination of these devices is ongoing, early analysis indicates cellular communications between nation-state threat actors and individuals that are known to federal law enforcement.

“The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” said U.S. Secret Service Director Sean Curran. “The U.S. Secret Service’s protective mission is all about prevention, and this investigation makes it clear to potential bad actors that imminent threats to our protectees will be immediately investigated, tracked down and dismantled.”

These devices were concentrated within 35 miles of the global meeting of the United Nations General Assembly now underway in New York City. Given the timing, location, and potential for significant disruption to New York telecommunications posed by these devices, the agency moved quickly to disrupt this network. The U.S. Secret Service’s Advanced Threat Interdiction Unit, a new section of the agency dedicated to disrupting the most significant and imminent threats to our protectees, is conducting this investigation. This investigation is currently ongoing.

The Department of Homeland Security’s Homeland Security Investigations, the Department of Justice, the Office of the Director of National Intelligence and the NYPD, as well as other state and local law enforcement partners, provided valuable technical advice and assistance in support of this investigation.

This is an ongoing investigation.

Photo Gallery

Glossary

• Advanced Threat Interdiction Unit — This unit is a specialized section of the U.S. Secret Service that disrupts significant, imminent threats to protected persons. It conducts fast-moving operations, coordinates with partners, and removes devices or networks that could endanger public safety.
• Anonymous Telephonic Threat — This threat involves phone calls or messages that hide the caller’s identity while delivering intimidation or demands. Criminals often route calls through layered devices, which makes tracing harder, and increases fear and confusion.
• Botnet-Enabled Phone Network — This network links many compromised or criminally controlled devices to act together for malicious goals. It can flood systems, mask origins, and coordinate attacks across wide areas.
• Call Detail Records (CDRs) — These records log when, where, and how a phone call or text occurred. Investigators analyze CDRs to map contacts, timelines, and travel patterns that can link devices to suspects.
• Cell Tower Disruption — This disruption interferes with the normal operation of wireless base stations that connect mobile phones. Attackers can degrade service, drop calls, or block emergency communication across neighborhoods.
• Co-Located SIM Servers — These are groups of networked devices that host large numbers of active SIM cards in one place. They allow criminals to send calls or texts at scale, switch identities quickly, and conceal true origins.
• Command and Control (C2) Node — A C2 node directs malicious devices, issues instructions, and collects results. Disabling C2 nodes can break coordination, reduce harm, and expose the people behind an operation.
• Denial-of-Service (DoS) Attack — This attack overwhelms a network or service with traffic until legitimate users cannot connect. When aimed at phones or towers, it can block calls, texts, and critical alerts.
• Device Forensic Imaging — This process creates a verified, bit-by-bit copy of a device for safe analysis. It preserves evidence, protects chain of custody, and lets experts examine data without changing the original.
• Encrypted Communication — This method scrambles messages so only authorized parties can read them. Criminals misuse encryption to coordinate, but encryption also protects victims when used lawfully and responsibly.
• Evidence Preservation — This practice secures devices, data, and logs so they remain intact for court or investigations. Proper preservation supports justice, strengthens cases, and prevents contamination.
• Federal Protective Operations — These operations protect senior officials, visiting dignitaries, and designated events. The work includes advance planning, real-time threat monitoring, and rapid response to emerging risks.
• Geospatial Concentration Radius — This term describes the measured zone where devices or threats appear clustered. Analysts use it to assess risk near major events, critical sites, or population centers.
• Homeland Security Investigations (HSI) — HSI is a component of the Department of Homeland Security that investigates transnational crime. It supports cyber, financial, and technology cases through field offices and expert teams.
• Imminent Threat — An imminent threat presents a near-term risk that requires urgent action. Agencies prioritize speed, safety, and prevention when the window to act is short.
• International Mobile Equipment Identity (IMEI) — This is a unique identifier assigned to a physical mobile device. Investigators use IMEIs to track hardware, link seizures to suspects, and separate phones from SIM identities.
• International Mobile Subscriber Identity (IMSI) — This number identifies a subscriber on a mobile network through the SIM card. It ties usage to an account, which helps connect activity to networks of devices.
• Lawful Seizure — This is the legal taking of devices or data under court authority. It allows examiners to collect evidence, stop harm, and follow due process.
• Mobile Network Infrastructure — This infrastructure includes towers, base stations, switches, and core network elements that carry voice and data. Attacks on this layer can cause wide service loss and public safety risks.
• Nation-State Threat Actor — This actor operates with direction, support, or tolerance from a government. Such actors have resources, patience, and global reach, which complicates deterrence and response.
• Network Hardening — This practice strengthens systems to resist attack. It includes patching, segmentation, access controls, and monitoring that reduce the chance and impact of intrusions.
• NYPD Partnership Support — This support includes technical advice, logistics, and local enforcement assistance from the New York City Police Department. Strong city partnerships improve speed, coverage, and evidence handling.
• Office of the Director of National Intelligence (ODNI) — ODNI coordinates U.S. intelligence community activities. It helps align collection, analysis, and sharing when threats cross agencies and domains.
• Protective Intelligence — This discipline collects, assesses, and acts on information that signals danger to people or events. It blends threat indicators, open sources, and technical data to prevent harm.
• Proxy Routing — This routing bounces communications through multiple systems to hide the true source. It frustrates tracing, masks locations, and gives attackers time to operate.
• Seizure Warrant — A court-approved order authorizing the taking of devices, media, or records. Warrants define scope, timing, and items to ensure lawful collection.
• SIM Card Farming — This practice activates and manages large numbers of SIM cards to automate calls or texts. It enables identity swapping, evasion, and high-volume messaging for threats or fraud.
• SIM Server — A SIM server connects many SIM cards to telecommunication networks through software. It lets operators control calling, texting, and routing from a central point.
• Threat Deconfliction — This process ensures multiple agencies do not duplicate efforts or interfere with one another. Shared schedules, case notes, and contact points reduce risk and confusion.
• Threat Vector — A threat vector is the path or method used to carry out an attack. Knowing the vector helps defenders block access, monitor signals, and improve resilience.
• Tri-State Area (New York) — This region commonly refers to New York, New Jersey, and Connecticut. Dense population and critical infrastructure make the area a frequent focus for protection.
• United Nations General Assembly (UNGA) Security Perimeter — This perimeter is the layered zone of checkpoints, surveillance, and patrols around UN events. It expands during high-level meetings due to increased threat interest.
• S. Secret Service Protective Mission — This mission includes safeguarding protectees, securing sites, and stopping threats before they reach targets. Prevention, coordination, and technology form the core of this work.
• Volumetric Traffic Spike — This spike is a sudden swell of calls, texts, or data designed to overwhelm systems. Analysts look for abnormal patterns to catch attacks early, and operators throttle traffic to protect service.

Please Rate This Article

Please Leave Us Your Comment
Also, tell us of any topics we might have missed.

Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.

-/ 30 /-

What do you think about this?
Please share your thoughts in a comment above!