Austria at the Center of a Global Surveillance Scandal Involving Celebrities, Politicians, and Red Bull Executives

At the center of it all is the Indonesian company First Wap, which illegally tracked thousands of people over many years using the outdated mobile communications protocol SS7 (Signaling System No. 7). The trail leads straight to Austria, as reported by "DerStandard". The company's founder was from Tyrol, and the head of sales is Austrian.

Between 2007 and 2014, more than 1.5 million queries of cell phone numbers from 168 countries were registered. The list of those allegedly monitored is prominent and diverse. It includes celebrities such as Austrian singer Wolfgang Ambros and Hollywood actor Jared Leto. Also included are former BVT chief Gert-René Polli and Vatican whistleblower Gianluigi Nuzzi. The data also suggests cases of stalking and industrial espionage.

Surveillance activities in Austria focused particularly strongly on the Red Bull Group, as reported by "DerStandard". More than 20 former and current employees of Red Bull Media House – including top managers such as the then managing director Andreas Gall and heads of important departments (“Head of Legal,” “Head of Sport”) – were tracked over a thousand times, in some cases via their private cell phones. None of those affected had given their consent. Gall described the surveillance of his global movement profiles as “creepy and shocking.”

The Achilles heel is SS7

The surveillance was carried out using the First Wap system Altamides, which exploited the security gaps in the decades-old SS7 protocol. SS7 is essential for roaming and communication between mobile networks, but it is considered the “Achilles heel of mobile networks” because it dates back to a time when security was hardly an issue. One-third of the allegedly illegal tracking operations ran via an SS7 access point belonging to Telecom Liechtenstein. The state-owned company confirmed that it had been working with First Wap for many years in the area of SMS messaging. However, due to the “serious allegations,” the business relationship was “suspended immediately and all services blocked.”

Business in the “dark gray area” and denials

The undercover investigation showed that First Wap was willing to cross the boundaries of legality, as reported by "DerStandard". Austrian sales director Günther Rudolph and German managing director Jonny Goebel were willing to conduct business with sanctioned Niger via an Indonesian office to circumvent export licenses. Goebel called this a deal in the “dark gray area.” Rudolph himself warned that he could “go to prison” for this business.

First Wap's management denies “any illegal activity” and rejects all allegations, referring to the undercover recordings as “misunderstandings.” Red Bull states that there are “no documents” proving that the company or founder Dietrich Mateschitz was aware of the surveillance of their employees.

Call for clarification and protective measures

In view of the massive and allegedly illegal surveillance, politicians and those affected are now demanding a full investigation, as reported by ORF. The Green Party has announced parliamentary inquiries. Since similar surveillance requires judicial permission in Austria and Germany, there is suspicion of illegal espionage.

Complete protection against SS7 attacks is difficult as long as the old 2G and 3G networks exist (source: German Bundestag, details on SS7 signaling vulnerabilities). Experts recommend protective measures for users, such as disabling 2G support on modern smartphones (e.g., via “lockdown mode”) to minimize the general risk of surveillance. Due to the insecurity of SMS, switch to more secure second factors for multi-factor authentication. For sensitive communication and telephony, use apps such as Signal, as these prevent eavesdropping via the mobile network.