Good Carder
Professional
- Messages
- 938
- Reaction score
- 533
- Points
- 93
From carder to carders. Did you think SMS 2FA was secure? That your bank wouldn't let anyone intercept your one-time password? Naive. In 2026, mobile network security is a house of cards that can collapse with a single portable device costing a couple thousand dollars. SMS blaster, IMSI catcher, 5G downgrade attack — these terms turn any phone into a radio interceptor capable of stealing your money.
In this article, I'll examine real-world attacks on mobile networks — from creating fake towers to intercepting 2FA codes. You'll learn how hardware (USRP, LimeSDR, StingRay) works, how to cheaply assemble an SMS blaster, how the SNI5GECT downgrade attack works, and how this combination allows for the theft of access to banks and crypto wallets.
The simplest and most dangerous attacks on modern networks are IMSI catchers (also known as StingRay) and SMS blasters. The former disguise themselves as a legitimate tower and intercept phone IDs within a radius of up to a kilometer. The latter is a more aggressive version, bombarding the victim with phishing SMS messages, bypassing all operator filters. Both attacks are based on the same principle: the phone doesn't verify the authenticity of the base station, so any device with a stronger signal siphons all the traffic nearby. At this point, a carder can read all your traffic, extract OTPs, steal your IMSI, and redirect you to phishing websites.
The beauty of it is that this vulnerability is impossible to eliminate in 5G and 4G. For backward compatibility, operators retain legacy protocols, which are the primary vector for downgrade attacks. This is how we intercept secure traffic through legacy protocols.
The attack technology:
IMSI catchers are actively sold to private companies and are used not only for traditional "raids" but also for direct carding. The obtained IMSI can be linked to a real phone number, and then SMS messages containing 2FA codes can be intercepted via the SS7 protocol. Retail prices for such devices range from 5,000 to 5,000 rubles, depending on the range and additional signal suppression modules.
The entire chain from capture to message injection takes less than ten seconds. After sending the message, the device powers down, and the phone returns to the legitimate tower, without the owner even noticing the substitution.
Notable incidents in 2026:
In SMS blaster messages, scammers often imitate notifications from banks: "Your account has been accessed suspiciously. Follow the link to block it" or "Your PayPal account has been blocked. Log in using the link to remove restrictions." When the victim clicks the link, their login and password are stolen, and 2FA is bypassed through actual SMS interception.
For a carder, the cost of SMS blaster equipment ranges from 3,000 to 10,000 rubles for a ready-made professional kit. However, a cheaper alternative can be assembled using a LimeSDR (costing around 300-400 rubles) and a regular laptop with OpenLTE or srsRAN software. This, including an antenna and amplifier, brings the total cost to around 1,000-1,500 rubles.
How SNI5GECT works:
The most persistent attack is a protocol downgrade attack using a fake Registration Reject, which forces the device to fall back to the less secure 4G (LTE). This works on real Qualcomm, MediaTek, and Samsung chipsets and has already been recognized by the industry as part of the GSMA CVD-2024-0096 vulnerability database. The main advantage of this technique is that it doesn't require searching, doesn't create a strong background noise that would reveal a fake tower, and remains invisible to operators.
The SNI5GECT framework is already published on GitHub with all the source code and deployment documentation. With it, even a novice with LimeSDR can set up a fully functional tool for intercepting 5G traffic for $400.
How the attack works: Simply request the "Provide Subscriber Information" from SS7 for the victim's mobile operator, and the system will return data from the tower to which the phone is connected. This is one of the reasons why SMS-2FA is no longer considered reliable protection: carders can intercept the OTP code at the operator level without hacking your phone. Equipment for working with SS7/Diameter is expensive, but it can be rented in closed circles. The monthly rental price for SS7 access starts at 10,000, and for large projects it can reach 10,000, and for large projects it can reach 50,000+ per month.
The final cost of hacking 5G networks for an average operator skilled in soldering and scripting is $1,500–$1,500–$2,500. High-quality preparation for mass attacks on banks with 2FA interception can cost as much as $10,000–$20,000.
A quick one-line reminder:
"An SMS blaster in a car projects a signal for a kilometer, and phones automatically connect to a fake tower. 10 seconds—and the carder has an SMS with an OTP." SS7 hacks global roaming, IMSI-catchers calculate geolocation, SNI5GECT downgrades 5G to vulnerable 4G. The entire process is automated. Your only chance is to disable 2G and forget about SMS confirmation. In 2026, mobile network security is your personal choice."
In this article, I'll examine real-world attacks on mobile networks — from creating fake towers to intercepting 2FA codes. You'll learn how hardware (USRP, LimeSDR, StingRay) works, how to cheaply assemble an SMS blaster, how the SNI5GECT downgrade attack works, and how this combination allows for the theft of access to banks and crypto wallets.
Part 1. 5G: The Illusion of Security
The main myth about 5G is that it's "unhackable" and "protected by quantum encryption." In reality, it's much more prosaic: 5G is better protected than 4G, but its Achilles heel is backward compatibility. The phone decides for itself which network to connect to, and a carder can convince it to use older, more flawed protocols (2G, 3G). By studying several real-world attacks, you can understand how this works.The simplest and most dangerous attacks on modern networks are IMSI catchers (also known as StingRay) and SMS blasters. The former disguise themselves as a legitimate tower and intercept phone IDs within a radius of up to a kilometer. The latter is a more aggressive version, bombarding the victim with phishing SMS messages, bypassing all operator filters. Both attacks are based on the same principle: the phone doesn't verify the authenticity of the base station, so any device with a stronger signal siphons all the traffic nearby. At this point, a carder can read all your traffic, extract OTPs, steal your IMSI, and redirect you to phishing websites.
The beauty of it is that this vulnerability is impossible to eliminate in 5G and 4G. For backward compatibility, operators retain legacy protocols, which are the primary vector for downgrade attacks. This is how we intercept secure traffic through legacy protocols.
Part 2. IMSI Catcher (StingRay): Identifier Interception and Geolocation
This is the foundation of all mobile attacks. An IMSI catcher is a device that imitates a real cell tower, but is essentially a MITM proxy. The attack operates in several stages.The attack technology:
- Jamming. The device (StingRay) jams the signal of a real operator tower on 4G/5G frequencies.
- Decoy. It begins broadcasting a signal in its own name with a strength significantly higher than that of the legitimate tower. All phones within a kilometer radius automatically switch to this "golden" source.
- Downgrade. Once in the role of a "tower," StingRay sends a command to the phone to switch to the legacy 2G protocol (GSM).
- Data collection. 2G networks have no subscriber encryption and no tower authentication. The device can now freely read all traffic and collect IMSI and IMEI identifiers from the phone for geolocation tracking.
IMSI catchers are actively sold to private companies and are used not only for traditional "raids" but also for direct carding. The obtained IMSI can be linked to a real phone number, and then SMS messages containing 2FA codes can be intercepted via the SS7 protocol. Retail prices for such devices range from 5,000 to 5,000 rubles, depending on the range and additional signal suppression modules.
Part 3. SMS Blasters: Mass Phishing within a 1-2 km radius
If an IMSI catcher is a sniper rifle, then an SMS blaster is a rocket launcher. It's a portable device that looks like a suitcase or backpack with antennas. It mimics a cell phone tower and projects a powerful LTE signal, intercepting the connections of thousands of phones within a kilometer radius. As soon as a phone connects to the fake tower, the blaster forces it to switch to insecure 2G mode and sends messages directly to the phone's memory, bypassing the carrier's SMS center. A standard spam filter simply doesn't see these messages.The entire chain from capture to message injection takes less than ten seconds. After sending the message, the device powers down, and the phone returns to the legitimate tower, without the owner even noticing the substitution.
Notable incidents in 2026:
- In March 2025, a student drove through London with an SMS blaster in his trunk, forcing thousands of phones to connect to a fake cell phone tower. His messages, offering tax refunds, appeared to be official from HMRC. Remarkably, even the police officers who responded to the call received a phishing message on their phones — from a device in the trunk of the car they were heading to.
- Between 2025 and 2026, a gang operated in Toronto, Canada, using cars equipped with SMS blasters to generate up to 13 million network events. They impersonated cell towers, disrupted connections to thousands of phones, and then sent phishing messages. The group, consisting of three individuals, was eventually arrested.
In SMS blaster messages, scammers often imitate notifications from banks: "Your account has been accessed suspiciously. Follow the link to block it" or "Your PayPal account has been blocked. Log in using the link to remove restrictions." When the victim clicks the link, their login and password are stolen, and 2FA is bypassed through actual SMS interception.
For a carder, the cost of SMS blaster equipment ranges from 3,000 to 10,000 rubles for a ready-made professional kit. However, a cheaper alternative can be assembled using a LimeSDR (costing around 300-400 rubles) and a regular laptop with OpenLTE or srsRAN software. This, including an antenna and amplifier, brings the total cost to around 1,000-1,500 rubles.
Part 4. Downgrade Attacks: SNI5GECT and "5Ghoul"
Modern downgrade attacks make it possible to hack the most secure 5G protocol without jamming the signal at all. The latest development, SNI5GECT (Advanced open-source framework for 5G NR sniffing and injection by Singapore University of Technology and Design), was presented at USENIX Security in 2025 and is already being actively used to hack networks. Unlike classic IMSI catchers, it is a passive third party. It does not create a decoy tower, but intercepts unencrypted traffic early in the connection establishment process and injects its own data at the right moment.How SNI5GECT works:
- Passive interception. The attack uses an SDR device (USRP/LimeSDR) to eavesdrop on radio communications. When the phone attempts to reconnect (for example, after exiting a tunnel or disabling airplane mode), it transmits service parameters unencrypted.
- Synchronization. SNI5GECT intercepts this traffic and calculates the exact time for injection.
- Message substitution. The carder, with minimal delay, inserts a modified packet that appears to be a response from a legitimate base station.
- Investigation. Depending on the packet modification, the device may either crash (BSOD) (slow MediaTek modems) or receive a command to switch to a 4G network, where all other attacks (IMSI harvesting, SMS blasting) can continue. Importantly, after such an attack, the phone may permanently "ban" that base station and never connect to it normally again.
The most persistent attack is a protocol downgrade attack using a fake Registration Reject, which forces the device to fall back to the less secure 4G (LTE). This works on real Qualcomm, MediaTek, and Samsung chipsets and has already been recognized by the industry as part of the GSMA CVD-2024-0096 vulnerability database. The main advantage of this technique is that it doesn't require searching, doesn't create a strong background noise that would reveal a fake tower, and remains invisible to operators.
The SNI5GECT framework is already published on GitHub with all the source code and deployment documentation. With it, even a novice with LimeSDR can set up a fully functional tool for intercepting 5G traffic for $400.
Part 5. SS7 and Diameter: Global Interception Without Jamming
These protocols underlie roaming and data transfer between operators. The SS7 protocol emerged back in the 1970s and simply didn't provide for authentication, with all its clients being "their own" by default. Today, a carder who gains access to SS7 (via a hacked operator or commercial provider) can send any request "on behalf of" the victim's mobile operator: determine the phone's real location to within a hundred meters, reroute all calls, intercept SMS messages, and then use this data to steal money.How the attack works: Simply request the "Provide Subscriber Information" from SS7 for the victim's mobile operator, and the system will return data from the tower to which the phone is connected. This is one of the reasons why SMS-2FA is no longer considered reliable protection: carders can intercept the OTP code at the operator level without hacking your phone. Equipment for working with SS7/Diameter is expensive, but it can be rented in closed circles. The monthly rental price for SS7 access starts at 10,000, and for large projects it can reach 10,000, and for large projects it can reach 50,000+ per month.
Part 6. Equipment for 5G attacks and the cost
- USRP B200mini / B210. A ready-to-use industrial kit for radio research. Fully compatible with 5G and LTE, clock speeds up to 56 MHz, and support for frequencies up to 6 GHz. Price range: 1,500–1,500–3,000.
- LimeSDR (budget alternative). A cheaper SDR transceiver that supports projects like OpenLTE and srsLTE. Price: 300–400. Ideal for building an SMS blaster and running tools like SNI5GECT.
- BladeRF 2.0 micro. Professional tool with 2x2 MIMO, 5G NR support, price: 900–1,200.
- Raspberry Pi + SIM800 module. For creating a simple IMSI catcher on 2G networks using legacy protocols. Price: 50-100.
- DIY SMS blaster. Basic kit: LimeSDR (350) + Raspberry Pi4 (350) + Raspberry Pi4 (100) + laptop with GNURadio and OpenLTE/srsRAN software. With antennas and amplifiers, it costs around 800–1,500 rubles.
The final cost of hacking 5G networks for an average operator skilled in soldering and scripting is $1,500–$1,500–$2,500. High-quality preparation for mass attacks on banks with 2FA interception can cost as much as $10,000–$20,000.
Part 7: OPSEC for Mobile Attack Operators
- Work on the move. A fake tower, even in a backpack, emits a powerful signal that can be localized. You can use jammers, but in civilian areas, this will immediately attract law enforcement. A car is ideal. In the Canadian case, carders drove around Toronto in cars with equipment in the trunk, allowing them to operate for several months without being caught. A Chinese student in London did the same with an SMS blaster in his Honda CR-V.
- Equipment concealment. The device should be hidden in a suitcase, backpack, or insulated bag to prevent overheating. For permanent installation, attics or high-rise rooftops are best, as these locations provide the longest signal reach.
- Clean SIM cards and funds. Use Monero and the darknet to purchase equipment. Never use personal accounts for funds. Rent a car in another country for cash. After the transaction, hide the device or change its appearance.
- Signature monitoring. If you're using ready-made software (like OpenLTE), its radio signature is known to operators. Fake tower detectors exist, and operators can quickly identify you. Some operators have already switched to using AI systems to detect signal anomalies, making attacks in crowded areas extremely dangerous.
- Using an IMSI catcher. A simple IMSI catcher only requires LTE/4G bandwidth to intercept traffic without downgrading to 2G. For full-fledged SMS interception and 2FA bypass, a cascade attack is used: first, the connection is downgraded to 4G using SNI5GECT injection from real 5G traffic. Then, a classic IMSI catcher intercepts 2FA codes over the air, and you gain access to your account. The entire process takes 30-60 seconds and is fully automated.
Summary
SMS-2FA is dead. IMSI catchers and SMS blasters turn phones into eavesdropping devices, and intercepting roaming protocols allows them to attack victims worldwide. In 2026, any carder with a budget of under $2,000 can rent equipment and intercept the OTP codes of thousands of people in crowded places. Current attacks have already reached commercial levels. SMS blasters project a powerful signal, forcing phones to connect to them, and phishing messages are sent directly to victims, bypassing operator filters. SNI5GECT allows hacking the secure 5G protocol itself simply by injecting packets into the unprotected connection, even without signal jamming.A quick one-line reminder:
"An SMS blaster in a car projects a signal for a kilometer, and phones automatically connect to a fake tower. 10 seconds—and the carder has an SMS with an OTP." SS7 hacks global roaming, IMSI-catchers calculate geolocation, SNI5GECT downgrades 5G to vulnerable 4G. The entire process is automated. Your only chance is to disable 2G and forget about SMS confirmation. In 2026, mobile network security is your personal choice."
