Türkiye's National Intelligence Organization (MIT), in coordination with the Istanbul Chief Public Prosecutor’s Office and Istanbul Police Department, has dismantled a cyber espionage network using fake base stations to collect personal and financial data from citizens.
Seven foreign nationals were caught in the act and taken into custody. They were later formally arrested following court proceedings.
The investigation began after multiple complaints from GSM users reporting suspicious SMS messages that appeared to be sent by public institutions and major corporations. MIT's technical teams traced the source of the messages and identified that a fake base station method had been used.
The analysis revealed that China-manufactured devices were used to set up mobile base stations that deceived users' phones into connecting. Once connected, users received SMS messages mimicking legitimate service providers, demanding payments and collecting sensitive data.
MIT identified seven suspects, organized into three groups under the command of a figure known as "Patron." The group operated across Istanbul, Izmir, Bursa, and Yalova using rented vehicles and mobile equipment.
The perpetrators reportedly funneled intercepted communication data and user information to a China-based server. The data was then used in targeted phishing attacks via a foreign application, leading some users to share credit card details and make unauthorized payments.
After intensive surveillance and technical tracking by MIT, prosecutors, and law enforcement, the suspects were apprehended in rented vehicles during live operations. The equipment used in the scheme was supplied by a Chinese national who owned an electronics business in Istanbul. That individual was also detained.
Investigations revealed that the suspects entered Türkiye in March 2025. They had quickly acquired GSM lines under different identities to mask their tracks.
Authorities have launched a broader probe into how the devices were imported into the country, examining customs and border records. The confiscated fake base stations and digital materials are now undergoing forensic examination.
The investigation into the suspects' network and connections remains ongoing.