This report describes a complex surveillance scenario involving potential abuse of the SS7 (Signaling System No. 7) telecommunications protocol combined with unauthorized access to WhatsApp metadata. SS7 is a set of protocols used by telecom operators worldwide to manage signaling and control of phone calls and SMS. It is known to have vulnerabilities that allow attackers with network access to intercept SMS messages, track location, and manipulate calls. The victim used two separate phone numbers: one SIM dedicated to data and another number for WhatsApp, with the WhatsApp SIM not physically present in the phone but still active. Despite no session cloning or disconnection occurring (which would typically happen if SS7 was used to clone the WhatsApp session), the attackers somehow obtained detailed metadata about the victim’s WhatsApp contacts, including newly added contacts unknown to the attackers beforehand. This suggests that SS7 abuse alone cannot fully explain the surveillance. The victim suspects a combination of SS7-based carrier-level monitoring (for location, SMS interception, and traffic patterns) and insider or privileged access to WhatsApp metadata (such as contact mappings and timestamps) within Meta. The victim also observed anomalous behavior resembling a “silent pre-login” where messages appeared on a second device without the victim’s session being disconnected, hinting at a possible WhatsApp client or server-side vulnerability allowing session duplication without triggering standard security controls. The victim had 2FA enabled, which prevented full session hijacking, but did not prevent metadata leakage or partial session duplication. The questions raised include whether WhatsApp metadata can be accessed without insider access, if SS7 alone can explain the contact mapping, documented cases of silent pre-login or session duplication without disconnect, and whether switching to privacy-focused messaging apps like Signal or Session (which use usernames and stronger metadata protections) would mitigate such risks. Overall, this case highlights the intersection of telecom protocol vulnerabilities and potential insider threats or advanced exploitation of messaging platform metadata, raising concerns about metadata privacy and the limits of current security controls in widely used encrypted messaging services.

For European organizations, this threat poses significant privacy and security risks, especially for high-profile individuals, journalists, activists, and corporate executives who rely on WhatsApp for confidential communications. The ability to correlate metadata across telecom and messaging platforms can reveal social graphs, communication patterns, and potentially sensitive relationships without decrypting message content. This undermines confidentiality and can facilitate targeted cyberstalking, corporate espionage, or state-sponsored surveillance. The risk is amplified in Europe due to strict data protection regulations (e.g., GDPR) and the high adoption rate of WhatsApp as a primary communication tool. Organizations may face reputational damage and regulatory penalties if employee or executive communications are compromised. Additionally, the possibility of session duplication without user notification threatens the integrity of user sessions and trust in messaging platforms. The combination of SS7 vulnerabilities and potential insider access to metadata creates a complex threat landscape that is difficult to detect and mitigate using traditional security measures. This could lead to long-term exposure of sensitive metadata, enabling persistent surveillance and profiling.

1. Telecom operators and regulators in Europe should accelerate the deployment of SS7 security enhancements such as Diameter protocol for LTE networks, SS7 firewalls, and anomaly detection systems to prevent unauthorized signaling access. 2. Organizations should educate users about the risks of SS7-based attacks and encourage the use of encrypted messaging apps that minimize metadata exposure, such as Signal or Session, which use privacy-preserving protocols and usernames instead of phone numbers. 3. Enable all available security features on WhatsApp, including two-factor authentication and security notifications for new device logins, and monitor for suspicious session activity. 4. Advocate for transparency and stronger metadata protection from messaging service providers, including audits and independent verification of insider access controls. 5. For high-risk individuals, consider using separate devices and SIMs for sensitive communications and avoid linking personal phone numbers to messaging accounts. 6. Implement network-level monitoring for unusual signaling traffic patterns indicative of SS7 abuse. 7. Engage with telecom providers to understand and limit metadata sharing and access within their infrastructure. 8. Encourage European regulatory bodies to mandate stricter controls on telecom signaling protocols and require messaging platforms to minimize metadata retention and access.