The existence of the Signaling System 7 (SS7) cell phone protocol vulnerability was alerted to by security researchers in 2016 and it took only a year to observe the first attack that exploited the vulnerability.
Over the next few years, the government used SS7 vulnerabilities to track individuals abroad, and hackers used them to hijack Telegram and email accounts.
In addition to SMS, SS7 security vulnerabilities can be exploited to intercept or forward calls, 2FA codes, locate devices, spoof text messages, and more.
But are these hacking services as abundant as rumored, or is the Dark Web full of scammers just waiting to rip off aspiring spies?
Usability Survey
Analysts at SOS Intelligence searched the dark web for providers of SS7 exploit services and found 84 sites with autonomous onion domains that claimed to offer these services.
After narrowing the results to domains that appeared to still be active, they ended up finding only four of the following.
SS7 Exploiter
SS7 ONLINE Exploiter
SS7 Hack
Dark Fox Market
All four of these sites claim to offer SMS blocking and spoofing, location tracking, and call blocking and redirection.
By analyzing the network topology data of these sites, the researchers found that some of them were relatively isolated, did not have many inbound links, and did not publish promotional ads.
This is not a good indication of the reliability and trustworthiness of the sites, and is usually a sign of a recently established fraudulent platform.
In addition, the SS7 Hack site appears to have been copied from a Minnet site created in 2021, and thus appears to be more of a scam.
In trying to use its SS7 exploit kit in hopes of implementing the API mirroring feature, the researchers did not get any results because the service was offline.
On the Dark Fox Market platform, which charges $180 per targeted phone number, the researchers found the same demo videos uploaded on YouTube by Russian users in 2016.
These were likely stolen from YouTube and have no connection to the Dark Fox Market platform, which does not offer an available SS7 exploit service anyway.
Nevertheless, by analyzing the cryptocurrency wallets offered by these platforms, SOS Intelligence found that scammers are making a lot of money.
The Hidden Real SS7 Exploit Service
The above does not mean that there are no SS7 exploit services on the dark web, but rather that the real SS7 exploit services are hidden behind membership hacking forums and dark web trading marketplaces such as World Market.
As is often the case on the Dark Web, the first search result one finds on the "surface" usually leads to a scam.
One must dig deeper to get the real deal, but that never eliminates the chance of still falling for the scam.
Of course, there are also powerful threat actors who can access cell phone data through affiliates or their own operations, so they don't need to look for providers of SS7 exploit services on the dark web.