The “Mosenik” operation by the Civil Guard has brought to light something rarely seen so clearly: the layer of technological infrastructure supporting many large-scale smishing campaigns and fraudulent calls that affect both users and businesses. Behind those calls posing as the National Police or the Bank of Spain wasn’t just a “pirate call center,” but an industrial telecom platform designed to maximize the mobile network’s exploitation.
Beyond the police report, this case is a compelling example of how professional telecom hardware—SIMBOXs, GSM modems, large-scale SIM cards—can be repurposed as the “engine” for massive cyber scams.
A Fraud Factory with 35 SIMBOXs and nearly 900 GSM Modems
According to data released by the Interior Ministry and Civil Guard, the dismantled infrastructure consisted of, among other components:
- 35 industrial SIMBOXes
- 865 professional GSM modems integrated into these SIMBOXes
- 852 active SIM cards
- Over 60,000 national SIM cards ready to use
- 10,000 New SIMs still inactive
- Various computers and abundant IT and technological equipment
Each modem operated as if it were an independent mobile phone and could send between 12 and 18 messages per minute, increasing the system’s total capacity to around 2.5 million SMS daily. All controlled by a single person through about ten computers.
From a technical standpoint, this is a mass messaging platform very similar to those used by legitimate companies for sending notifications, 2FA codes, or marketing campaigns… but entirely geared toward fraud.
What is a SIMBOX and Why Is It So Attractive to Criminals?
SIMBOXes (often called GSM gateways or SIM gateways) are devices that allow managing dozens or hundreds of SIM cards from a single device. Internally, they host:
- Stacks of professional GSM modems
- SIM card trays or “banks”
- Firmware and control software to manage call and SMS traffic
In legitimate uses, they are employed for:
- Lower-cost routing (least-cost routing) in operators and call centers
- Corporate messaging platforms
- Machine-to-machine systems and IoT requiring many mobile lines
However, in the hands of criminal groups, they offer three key advantages:
- Scale: to send huge volumes of SMS and calls without depending on a single line.
- Identity rotation: constantly changing numbers by switching SIMs or modems.
- Flexible geographical distribution: if hardware is enclosed in cases or compact racks, it can be moved or reallocated with relative ease.
In this case, the Civil Guard highlights the seizure of a transportable SIMBOX case, capable of operating from anywhere with internet access via WiFi or mobile network, making tracking even more difficult.
Fraud Engineering: Automation, Rotation, and Segmentation
The operation describes a system with several components typical of a “telecom fraud-as-a-service” architecture:
- Extreme automation
Call and message sending was managed from a central infrastructure that scheduled traffic over the SIMBOX. From a software perspective, this involves some platform that orchestrates which modem uses which SIM, with what content, at what pace, and to which destination. - Constant sender rotation
Originating numbers were frequently changed, and lines remained active only a short time after activation. This complicates detection and blocking by operators and anti-fraud systems, as the pattern is dynamic and ephemeral. - Mass fake identities
SIM cards were bought in large quantities from various providers and activated using fake identities. Without effective KYC or with lax controls, this infrastructure can remain operational for months. - Victim segmentation
Though capable of contacting millions of numbers, investigators note that potential victim profiles were studied and campaigns targeted specific groups, including Russian and Ukrainian citizens residing in Spain, contacted in their own language.
From a technological standpoint, this is not simply mass spam dispatch but a flexible, programmable infrastructure designed to adapt scripts, languages, numbering, and volumes depending on each criminal campaign.
Infrastructure as a Service… for Cybercrime
An additional relevant aspect is the role of the detainee. According to the Civil Guard, his main functions were:
- Creating and maintaining the system
- Selling this service to cybercriminal networks worldwide
In other words, he didn’t just carry out his own scams but operated as a specialized infrastructure provider. This pattern is seen in other areas of cybercrime as well:
- Malware-as-a-Service: renting Trojans, ransomware, or botnets.
- Access-as-a-Service: selling access to compromised corporate networks.
- Phishing kits: ready-to-clone templates for banking or service websites.
In this case, the specialization is in the mobile telecommunications layer: clients don’t need to know how to manage SIMBOXes or GSM modems; they just pay to launch large-scale smishing or vishing campaigns.
Challenges for Operators and Defenders
Cases like “Mosenik” pose several technical challenges for the cybersecurity and telecom ecosystem:
- Detecting anomalous traffic patterns
Identifying when a set of SIMs is sending clearly automated traffic (volumes, timings, pattern repetition) without harming legitimate corporate messaging services is complex. It requires advanced behavioral analysis and collaboration between operators and law enforcement. - Mass registration and KYC management
Easily acquiring tens of thousands of SIMs and activating them with fake identities remains a critical vector. Without stricter controls, these platforms can re-emerge with new cards. - Limitations of traditional blocking mechanisms
Blocking specific numbers is too late when the system is designed to continually rotate numbers and cards. The fight involves raising visibility and control at the infrastructure level and employing more sophisticated reputation and filtering mechanisms.
Spain as a Scenario and Testing Ground
The operation, led by the Court of Instruction No. 1 of Novelda and carried out by units from Alicante, Barcelona, and Tarragona, highlights that Spain is not only a target for global campaigns but also a place where part of the international cybercrime infrastructure can be hosted.
The estimated value of the confiscated equipment—around 400,000 euros—and the industrial nature of the system point to a business with a potential economic impact of several million euros in scams. The investigation remains open, and the Civil Guard continues analyzing the material to find other suspects and new victims.
In a context where fraud via SMS, calls, and automated messages continues to grow, cases like “Mosenik” remind us that the fight against cybercrime involves more than just software or social engineering; it also encompasses the physical and network layers: racks, modems, SIM cards, and cases that, connected to the Internet, can turn into authentic real-time scam factories.
Source: Cybersecurity News