Fake Cell Towers Are the Fastest-Growing Scam in 2026 — Full Breakdown
Fake Cell Towers Are the Fastest-Growing Scam in 2026 — Full BreakdownA guy in São Paulo just got arrested for blasting 40,000 phishing texts per hour from his apartment. Here’s exactly how that works.
Your phone doesn’t verify cell towers. It just connects to the strongest signal nearby. That one design flaw — baked into GSM since the 1990s — is why a $700 radio in a backpack can hijack every phone on the block.
February 23, 2026. Vila Mariana, São Paulo. Third-floor apartment. Anatel agents traced a rogue signal using spectrum analyzers and directional antennas. Found a 26-year-old running a full fake base station — antenna, transmitter, laptop, two phones. First “ERB Fake” bust in SP this year. Seven more were seized in 2025 alone.
https://x.com/SwitchToThread/status/2026378914482799100?s=20
📡 How It Actually Works — The 60-Second Version
Think of it like a fake Wi-Fi hotspot — but for cell towers.
Your phone constantly scans for the strongest cell signal nearby. A legitimate tower operated by your carrier broadcasts at a certain power level. A rogue BTS (Base Transceiver Station) broadcasts louder on the same frequency. Your phone sees the stronger signal, disconnects from the real tower, and “camps” on the fake one — automatically, silently, without asking you.
Once your phone is connected to the attacker’s tower:
| What the attacker can do | How |
|---|---|
| Send SMS that look like they’re from your bank | The fake BTS pushes messages directly to your phone — no carrier spam filter in the way |
| Intercept your SMS (including 2FA codes) | Your outgoing texts route through their equipment first |
| Downgrade your connection to 2G | 2G has no encryption worth mentioning — everything becomes readable |
| Track your IMSI (unique device identifier) | Your phone hands over its identity automatically when connecting |
| Deny you service | Keep your phone locked to the fake tower — no real calls, no real data |
The attack range depends on the hardware. A basic setup covers a few hundred meters. With an RF amplifier and directional antenna, it can reach up to 10-22 miles in ideal conditions.
The key vulnerability: In GSM (2G), phones authenticate themselves TO the tower — but the tower never proves it’s real TO the phone. It’s a one-way trust system built in the 1990s. 4G/LTE improved this, but attackers bypass it by forcing phones to downgrade to 2G first.
🔧 The Technical Stack — Software & Hardware
Everything needed to build a rogue BTS exists as open-source software on GitHub. The hardware is commercially available SDR (Software Defined Radio) equipment.
Software stack:
| Tool | What It Does | Where |
|---|---|---|
| OpenBTS | Turns an SDR into a working GSM base station — the core of most rogue BTS setups | GitHub |
| OsmocomBB | Open-source GSM baseband firmware — turns $10 Motorola phones into GSM research tools | GitHub |
| OpenBSC | GSM network controller — manages the fake cell network | GitHub |
| srsRAN | Full 4G/LTE stack — for LTE-level evil twin attacks | GitHub |
| YateBTS | Alternative BTS software compatible with 2.5G and 4G cores | yatebts.com |
| GnuRadio | SDR signal processing framework — the backbone for all radio hacking | GitHub |
| gr-gsm | GnuRadio blocks specifically for GSM signal analysis and decoding | GitHub |
| OpenAirInterface | Full 5G platform (3GPP Release-15+) — next-gen cellular research | GitLab |
Hardware:
| Device | Cost | Role |
|---|---|---|
| USRP B200/B210 | $700–$1,200 | The serious SDR — primary transceiver for rogue BTS |
| BladeRF | $400–$650 | Mid-range SDR alternative |
| HackRF One | $300–$350 | Budget SDR — functional but limited |
| RTL-SDR | $25–$35 | Receive-only — for passive GSM sniffing, can’t transmit |
| Motorola C118/C123 | $5–$15 used | OsmocomBB-compatible phone for baseband research |
| RF amplifier + antenna | $50–$200 | Extends range from meters to city blocks |
Total cost for a basic working rogue BTS: Under $1,000 with a HackRF + laptop + OpenBTS. Under $2,000 for a serious USRP-based setup with amplification.
🌍 The Global Pattern — This Isn't Just Brazil
Fake BTS attacks are exploding worldwide. The technique originated in China — where over 1,600 prosecutions happened by 2016 — and has since spread globally via exported hardware and knowledge.
| Country | Year | What Happened |
|---|---|---|
| China | 2010s | 1,600+ prosecutions. First mass deployment of fake BTS for spam. Government cracked down hard domestically — then the hardware started getting exported. |
| Brazil (SP) | 2025-2026 | Multiple busts. Car-mounted rigs blasting 40K SMS/hour through Paulista Avenue. Apartment setups near metro stations. Chinese and Israeli equipment seized. |
| Thailand (Bangkok) | 2024 | Chinese gang members arrested driving through Bangkok with SMS blasters. Hundreds of thousands of smishing messages sent. |
| Indonesia | 2025 | Two foreign nationals arrested with mobile fake BTS setup impersonating bank SMS. |
| UK (London) | 2025 | Chinese student sentenced for suitcase-sized SMS blaster operation covering ~1km radius. |
| Greece (Athens) | 2026 | First-ever fake BTS arrests in Greece. Two Chinese nationals driving through suburbs. Phones downgraded to 2G. |
| France, Norway, Switzerland, Serbia | 2024-2025 | Car-based SMS blaster operations discovered across Europe. |
The pattern is almost always the same: rogue BTS in a car or apartment → drive/broadcast through high-traffic areas → send bank impersonation SMS → harvest credentials through phishing pages → drain accounts.
São Paulo is now one of the world’s top hotspots, with Brazilian authorities creating a special cross-agency task force and holding a national workshop at Anatel HQ to address the surge.
🛡️ How to Protect Yourself — Defense Side
The honest truth: your phone can’t tell the difference between a real tower and a fake one. Not your iPhone. Not your Samsung. Not your Pixel. The vulnerability is at the protocol level, not the device level.
But you’re not completely helpless:
| Defense | What It Does | Limitation |
|---|---|---|
| Disable 2G on your phone | Prevents the downgrade attack that makes interception easy. On Android: Settings → Network → Preferred network type → LTE/5G only. | Some areas still need 2G for coverage. Not available on all phones. |
| Never click SMS links | If your bank texts you a link — open the bank app directly or type the URL yourself. Always. | Doesn’t prevent IMSI tracking or SMS interception. |
| Use app-based 2FA instead of SMS | Authenticator apps (Google Authenticator, Authy) don’t go through the cell network. SMS-based 2FA can be intercepted by a rogue BTS. | Requires switching all your 2FA methods manually. |
| Watch for signal anomalies | Sudden signal drops, unexpected 2G downgrades, or your phone briefly losing service in a busy area can indicate a fake BTS nearby. | Not reliable — could just be network congestion. |
| 5G standalone mode | 5G encrypts IMSI (now called SUPI) before transmitting and adds mutual authentication. Real 5G-SA networks resist fake BTS attacks significantly better. | Most networks still run 5G-NSA (non-standalone) which falls back to 4G/2G. |
Detection tools (research/security professionals):
| Tool | What It Does |
|---|---|
| Android IMSI-Catcher Detector | Open-source Android app that monitors for rogue base station indicators |
| Awesome-Cellular-Hacking | Master list of cellular security research, detection tools, papers, and tutorials |
| SnoopSnitch | Android app that detects SS7 attacks and fake base stations (requires Qualcomm baseband) |
| fakeBTS.com | Project focused on fake BTS detection using Linux + SDR scanning |
| Ericsson’s detection framework | Network-side detection using measurement reports — now part of 3GPP TS 33.501 (5G security spec) |
📚 Deep Dive Resources — Research & Reference
| Resource | What It Covers |
|---|---|
| Awesome-Cellular-Hacking | Comprehensive curated list — GSM/LTE/5G security research, tools, attack tutorials, defense papers |
| HARD_device_attack | SDR/IMSI/BTS attack collection — papers, tools, setup guides for HackRF, BladeRF, USRP |
| Hacking-Mobile | Mobile hacking tools and research papers — LTE exploits, IMSI catchers, baseband attacks |
| telco_story | Practical walkthrough of building a 2G MITM setup — includes install scripts and Docker configs |
| Commsrisk SMS Blaster Map | Global tracking of fake BTS incidents — most comprehensive open-source intelligence on SMS blaster crime worldwide |
| DEF CON GSM talk (2014) | NSA Playset GSM — foundational DEF CON presentation on GSM interception |
| Ericsson: Detecting False Base Stations | How 5G’s detection framework works — proposed to 3GPP SA3, now in the 5G security spec |
| FBS-Radar (NDSS 2017) | Academic paper on uncovering fake base stations at scale in the wild |
Quick Hits
| Want | Do |
|---|---|
 Understand the attack |
→ Your phone auto-connects to the strongest signal — fake towers exploit this |
| Protect yourself now |
→ Disable 2G, never click SMS links, switch to app-based 2FA |
 Learn the technical side |
→ Awesome-Cellular-Hacking covers everything |
 Detect rogue towers |
→ AIMSICD for Android |
 Track global incidents |
→ Commsrisk maps every known SMS blaster bust |
Your phone trusts every tower it sees. In 2026, that trust is the exploit.
!