Kuwait Smishing Triad Rogue Cell Towers Target Banks and Telecoms

In two separate operations in February and August 2025, Kuwaiti authorities dismantled mobile

fraud cells operating rogue Base Transceiver Stations - portable fake cell towers - from

vehicles circulating through Kuwait City and the Salmiya district. The operations resulted in

the arrest of eight foreign nationals: six Chinese nationals in the first operation and two

Nigerian nationals in the second. Both cells were operating hardware capable of intercepting

legitimate mobile network traffic and injecting fraudulent SMS messages impersonating Kuwaiti

banks and financial institutions into the devices of nearby citizens.

Cybersecurity firm Resecurity linked the operations to the “Smishing Triad,” a well-documented

transnational fraud network with confirmed activity in over 121 countries. The Kuwait operations

represent two of the most technically sophisticated smishing interdictions in the Gulf in 2025,

and the August arrest marked the first confirmed instance of Kuwait’s Communications and

Information Technology Regulatory Authority (CITRA) directly triggering a major cybercrime

enforcement operation through its own network monitoring capabilities.

## Key Facts

• .**What:** Rogue cell towers in vehicles sent fake bank SMS to steal credentials in Kuwait.
• .**Who:** Banking customers in Kuwait City and Salmiya targeted via spoofed messages.
• .**Data Exposed:** Banking credentials and OTPs intercepted through fake BTS towers.
• .**Outcome:** Eight foreign nationals arrested; KD 5 million in funds protected by police.

## What Happened

In two separate operations five months apart, Kuwaiti authorities dismantled mobile fraud cells operating rogue Base Transceiver Stations from vehicles circulating through Kuwait City's commercial districts.

The first operation, on February 13, 2025, was triggered by concurrent alerts from multiple Kuwaiti telecom companies and banking institutions reporting anomalous SMS patterns.

Signal-tracking by the Cybercrime Combating Department located a vehicle in the Farwaniya area carrying BTS hardware and a six-person crew of Chinese nationals with forged identity documents.

A Kuwaiti citizen and Egyptian expatriate were subsequently arrested for visa trafficking. The equipment seized included BTS hardware, a laptop managing injection campaigns, and databases of mobile numbers from previous regional operations.

The second operation, on August 10, 2025, marked a significant development: it was initiated not by telecom or bank alerts but by CITRA's own network monitoring systems detecting suspicious intrusions into Kuwait's telecommunications infrastructure.

CITRA filed a formal law enforcement referral, and signal-tracking located a vehicle in the Salmiya district operating rogue BTS equipment. Two Nigerian nationals were arrested after a failed vehicle pursuit.

Cybersecurity firm Resecurity attributed both operations to the Smishing Triad, a transnational fraud network with confirmed activity in over 121 countries.

The Cybercrime Combating Department reported protecting KD 4 million (approximately $13 million USD) in citizen funds targeted in related December 2024 operations, and an additional KD 1 million ($3.2 million USD) during January through May 2025. The total KD 5 million in protected funds establishes the financial scale of the rogue BTS threat to Kuwaiti banking customers.

The August operation was the first confirmed instance of CITRA directly triggering a major cybercrime enforcement operation through its own monitoring capabilities - a concrete operational output of the DPPR Decision 26/2024 framework functioning as intended.

## Operation One: The Farwaniya Cell (February 13, 2025)

The first operation unfolded on February 13, 2025, when Kuwait’s Cybercrime Combating Department

began receiving concurrent alerts from multiple Kuwaiti telecom companies and banking institutions.

The alerts described an anomalous pattern of SMS messages appearing to originate from official

bank sender IDs but containing phishing links directing recipients to credential-harvesting pages.

The volume and geographic clustering of complaints pointed to a localized emission source rather

than a conventional internet-based smishing campaign operating from overseas infrastructure.

A rogue BTS - also known as an IMSI catcher or “stingray” device - works by broadcasting

a cell tower signal stronger than legitimate towers in the vicinity. Mobile phones within range

automatically connect to the strongest available signal without any user action or authentication

requirement on the device side. Once connected, the rogue BTS can intercept unencrypted SMS

traffic passing through it and, more relevantly in this case, inject arbitrary SMS messages

directly into connected handsets with any sender ID the operator chooses to configure. The

spoofed sender ID is indistinguishable from a legitimate bank message in the recipient’s

message thread, appearing alongside genuine historical communications from the same institution.

Signal-tracking operations by the Cybercrime Combating Department located the rogue BTS

emission source to a vehicle circulating through the Farwaniya area of Kuwait City. The

vehicle was stopped and a six-person crew of Chinese nationals was arrested. Biometric scanning

during the arrest process revealed that the individuals were carrying forged identity documents

and falsified residency records. The investigation subsequently identified a Kuwaiti citizen and

an Egyptian expatriate who were arrested separately on charges of visa trafficking - indicating

that the cell had an established support network facilitating their presence in Kuwait on

fraudulent documentation.

The equipment seized from the vehicle included the BTS hardware itself, alongside a laptop

infrastructure used to manage the injection campaigns, databases of mobile numbers acquired

from previous smishing operations in the region, and logs suggesting the cell had been

operational for a period preceding the February 13 arrests. The Cybercrime Combating Department

noted that its intervention had protected KD 4 million (approximately $13 million USD) in

citizen funds that had been targeted in related December 2024 operations, and an additional

KD 1 million (approximately $3.2 million USD) protected during the January through May 2025

period, figures that establish the scale of the financial exposure that rogue BTS operations

represent to Kuwaiti banking customers.

Resecurity’s attribution of the February cell to the Smishing Triad is consistent with

the operational profile of that network, which has been documented operating rogue BTS hardware

from vehicles in multiple countries across Europe, Asia, and the Middle East. The Smishing

Triad is not a single organization in the conventional sense but rather a loosely federated

criminal ecosystem that provides shared technical infrastructure - including BTS hardware,

phishing page templates, and stolen data aggregation services - to criminal cells operating

in various countries under localized targeting parameters. The Kuwait operation’s targeting

of Kuwaiti-specific bank brands and the use of Arabic-language phishing pages calibrated to

Kuwaiti financial institutions suggests either a sophisticated localization capability within

the Smishing Triad ecosystem or the engagement of local criminal partners with knowledge

of the Kuwait banking landscape.

## Operation Two: The Salmiya Cell (August 10, 2025)

The August 10, 2025 operation differed from its February predecessor in one significant and

consequential respect: it was initiated not by alerts from telecom companies or banks, but

by CITRA’s own network monitoring systems detecting suspicious intrusions into Kuwait’s

telecommunications networks. CITRA filed a formal report with law enforcement based on its

own technical detection, and the resulting signal-tracking operation located a vehicle in

the Salmiya district of Kuwait City operating rogue BTS hardware.

The arrest of the two Nigerian nationals operating the August cell was complicated by an

active flight attempt - the driver of the vehicle attempted to flee when approached by

authorities, resulting in a collision with other vehicles before the cell was successfully

apprehended. The rogue BTS equipment was seized, and the investigation established that

the August cell had been targeting telecom customers in the Salmiya area in a pattern

consistent with the February operation: spoofed bank SMS messages directing recipients

to credential-harvesting infrastructure.

The significance of the August operation lies in what it reveals about the maturation of

Kuwait’s regulatory and enforcement posture. CITRA’s ability to independently detect

unauthorized intrusions into telecom network infrastructure and translate that detection into

an actionable law enforcement referral represents exactly the kind of proactive regulatory

function that its recent governance framework was designed to enable. The DPPR Decision 26/2024,

which mandated 24-hour breach notification obligations for telecommunications operators

effective January 1, 2025, had created new reporting channels and presumably enhanced

information-sharing protocols between CITRA and the Cybercrime Combating Department. The

August operation can reasonably be read as the first concrete operational output of that

enhanced regulatory framework functioning as intended.

The choice of Salmiya as the operational area for the August cell is worth noting from an

intelligence perspective. Salmiya is one of Kuwait’s most densely populated commercial

and residential districts, with a high concentration of expatriate residents who may be

less familiar with specific Kuwaiti banking security conventions and therefore more susceptible

to convincingly spoofed SMS messages appearing to originate from their banking institutions.

The geographic targeting of the cell suggests either operational intelligence about victim

demographics or a systematic approach to maximizing the density of potential victims per

hour of rogue BTS operation.

## Technical Anatomy of the Rogue BTS Attack

The rogue BTS attacks documented in Kuwait exploit a fundamental architectural weakness in

the 2G (GSM) mobile network protocol that has been understood by security researchers since

the early 2000s but has never been fully remediated due to the cost and complexity of legacy

network upgrades. GSM does not implement mutual authentication between mobile devices and

base stations - a handset will connect to any tower broadcasting the right network identifiers

at sufficient signal strength without verifying the tower’s legitimacy. This design decision,

made when the primary concern was call quality rather than security, created a permanent attack

surface that portable hardware costing a few thousand dollars can exploit.

Modern 4G LTE and 5G networks implement substantially stronger authentication mechanisms

that make full IMSI catcher attacks significantly more difficult, though not impossible.

However, many devices and many carriers in the region continue to fall back to 2G for SMS

delivery even in areas with 4G coverage, a legacy compatibility mechanism that preserves

the attack surface for rogue BTS operations. Attackers operating the hardware documented

in the Kuwait cases did not need to defeat 4G security - they only needed to be more

attractive to handsets than the weakest available signal in their operational area, which

in practice means broadcasting at sufficient power to pull nearby devices onto their

2G-emulated network for the duration of SMS injection.

The smishing payload itself - the fraudulent SMS message - typically directs the recipient

to a phishing page designed to harvest banking credentials, one-time passwords, or card

numbers. The sophistication documented in the Smishing Triad’s operations includes real-time

OTP relay infrastructure that allows the operator to use harvested credentials immediately,

before the victim has time to detect the fraud and contact their bank. In the Kuwait cases,

the banks’ fraud monitoring systems appear to have been an important detection layer, as

the initial alerts that triggered the February investigation came from the banks themselves

observing anomalous credential use patterns consistent with a phishing campaign targeting

their customers in a specific geographic area.

For organizations operating in Kuwait, the rogue BTS threat model has direct implications

for SMS-based authentication systems. Any organization that relies on SMS-delivered one-time

passwords as a factor in multi-factor authentication for employee access, customer login,

or transaction authorization is exposed to the scenario documented in these Kuwait cases,

where a rogue BTS can intercept and relay OTPs in real time. The National Institute of

Standards and Technology has for years recommended against SMS as an authentication factor

precisely because of this vulnerability, and the documented Smishing Triad operations in

Kuwait provide a vivid regional illustration of why that guidance exists. Organizations

should be accelerating migration from SMS OTP to authenticator application-based or

hardware token-based second factors for any access path involving sensitive systems or

financial transactions.

## Regulatory Framework and CITRA’s Evolving Role

Kuwait’s primary legal instrument for cybercrime is Law No. 63/2015, the Cybercrime Law,

which establishes criminal penalties for unauthorized access to computer systems and networks,

data interception, and electronic fraud. The operation of rogue BTS hardware for the purpose

of intercepting SMS traffic and injecting fraudulent messages falls squarely within the

unauthorized access and interception provisions of Law 63/2015, and the arrests in both

the February and August operations were processed under its authority. Maximum financial

penalties under the law reach KWD 20,000, though the criminal proceedings in cases of this

severity typically emphasize custodial sentences rather than fines, and the deportation

of foreign nationals after sentence completion is the standard outcome for cases involving

non-resident criminal actors.

CITRA’s DPPR Decision 26/2024 is the more operationally significant recent development

in Kuwait’s cybersecurity governance posture. Effective January 1, 2025, the decision

mandated that telecommunications operators report security breaches to CITRA within 24 hours

of detection. This notification requirement creates two important operational dynamics.

First, it compels telecom operators to invest in detection capabilities sufficient to

identify breaches quickly, since the clock starts running from detection rather than from

occurrence. Second, it creates a centralized information flow to CITRA that enables the

regulator to correlate signals across multiple operators - a capability that is critical

for detecting rogue BTS operations, which affect all operators whose customers are within

the device’s range simultaneously.

The August 2025 operation demonstrated this correlation capability in practice. CITRA’s

ability to independently detect suspicious intrusions into telecom networks suggests that

the regulator has developed or deployed monitoring infrastructure that goes beyond receiving

operator notifications - it implies active visibility into telecom network anomalies that

can be generated without waiting for an operator to identify and report a breach. This

represents a significant maturation of Kuwait’s regulatory enforcement posture and positions

CITRA as an active operational participant in cybercrime response rather than a passive

recipient of compliance reports.

For telecommunications operators in Kuwait, the DPPR Decision 26/2024 framework creates

concrete compliance obligations with real enforcement consequences. The 24-hour notification

window is demanding - it requires not just incident detection but also internal triage,

escalation, and regulatory reporting within a single business day. Organizations that have

not invested in the Security Operations Center capabilities, automated anomaly detection,

and pre-drafted regulatory notification templates necessary to meet this timeline are exposed

to regulatory sanctions in addition to the customer and reputational harm that follows a

smishing incident. The Kuwait cases suggest that CITRA has both the technical visibility

and the institutional willingness to hold operators accountable when their networks are

being used as attack infrastructure against their customers.

## Pattern Recognition: The Smishing Triad’s Gulf Expansion

Resecurity’s documentation of Smishing Triad activity in 121 countries places the Kuwait

operations within a global pattern of rogue BTS deployment that has accelerated significantly

since 2023. The availability of relatively affordable BTS hardware through gray market

channels, combined with the persistent GSM vulnerability that enables the attack, has

lowered the barrier to entry for criminal cells willing to operate what is essentially

a physical piece of telecommunications infrastructure in a moving vehicle. The operational

security requirements are manageable - keep the vehicle moving to avoid triangulation,

use the hardware for short deployment windows, and have false documentation prepared

in the event of a traffic stop.

The Gulf region presents specific characteristics that make it an attractive operational

environment for Smishing Triad-affiliated cells. High smartphone penetration rates, high

per-capita banking engagement including active mobile banking use, large expatriate populations

with established banking relationships who may be less familiar with specific fraud indicators,

and dense urban environments where a single vehicle can cover populations of hundreds of

thousands within a short operational window all contribute to the potential yield of a

rogue BTS operation in Kuwait, the UAE, or Qatar compared to many other operational

environments.

The use of members from different nationalities across the two Kuwait operations - Chinese

nationals in February and Nigerian nationals in August - is consistent with the Smishing

Triad’s documented model of recruiting operational cells from existing criminal networks

in different countries and providing them with centrally-developed technical tooling and

targeting databases. The shared technical infrastructure means that law enforcement interdiction

of a single cell does not disrupt the network’s overall capacity; new cells can be

activated relatively quickly using the same hardware and software stack. This resilience

to operational takedowns is a characteristic of franchise-model criminal networks that

Kuwait’s Cybercrime Combating Department and CITRA will need to account for in their

longer-term strategic response to the threat.

Effective long-term mitigation of the rogue BTS threat in Kuwait and the broader Gulf region

will require a combination of technical, regulatory, and enforcement measures working in

concert. On the technical side, telecom operators should be accelerating the deprecation

of 2G network fallback for SMS delivery and implementing IMSI catcher detection systems

in their network monitoring infrastructure. On the regulatory side, CITRA’s demonstrated

willingness to take an active enforcement role should be supported with the legal frameworks

necessary to impose meaningful consequences on foreign nationals operating illegal telecommunications

infrastructure. On the enforcement side, the intelligence-sharing protocols between CITRA,

the Cybercrime Combating Department, and international counterparts including Interpol should

be deepened to enable the kind of proactive threat intelligence that can disrupt Smishing

Triad cells before they deploy hardware in Kuwait rather than after.

The two Kuwait Smishing Triad operations in 2025 demonstrate that rogue BTS smishing

has moved from a theoretical threat to a documented operational reality in the Gulf.

The KD 5 million in protected funds and the eight arrests represent successful enforcement

outcomes, but the underlying vulnerability in GSM network architecture that enables the

attack cannot be patched without fundamental infrastructure changes. For banks, telecom

operators, and any organization using SMS-based authentication in Kuwait, the documented

threat should accelerate migration away from SMS OTP and investment in IMSI catcher

detection capabilities.