In two separate operations in February and August 2025, Kuwaiti authorities dismantled mobile fraud cells operating rogue Base Transceiver Stations - portable fake cell towers - from vehicles circulating through Kuwait City and the Salmiya district. The operations resulted in the arrest of eight foreign nationals: six Chinese nationals in the first operation and two Nigerian nationals in the second.
Key Facts
- WhatRogue cell towers in vehicles sent fake bank SMS to steal credentials in Kuwait.
- WhoBanking customers in Kuwait City and Salmiya targeted via spoofed messages.
- Data ExposedBanking credentials and OTPs intercepted through fake BTS towers.
- OutcomeEight foreign nationals arrested; KD 5 million in funds protected by police.
What Happened
In two separate operations five months apart, Kuwaiti authorities dismantled mobile fraud cells operating rogue Base Transceiver Stations from vehicles circulating through Kuwait City's commercial districts. The first operation, on February 13, 2025, was triggered by concurrent alerts from multiple Kuwaiti telecom companies and banking institutions reporting anomalous SMS patterns. Signal-tracking by the Cybercrime Combating Department located a vehicle in the Farwaniya area carrying BTS hardware and a six-person crew of Chinese nationals with forged identity documents.
A Kuwaiti citizen and Egyptian expatriate were subsequently arrested for visa trafficking. The equipment seized included BTS hardware, a laptop managing injection campaigns, and databases of mobile numbers from previous regional operations.
The second operation, on August 10, 2025, marked a significant development: it was initiated not by telecom or bank alerts but by CITRA's own network monitoring systems detecting suspicious intrusions into Kuwait's telecommunications infrastructure. CITRA filed a formal law enforcement referral, and signal-tracking located a vehicle in the Salmiya district operating rogue BTS equipment. Two Nigerian nationals were arrested after a failed vehicle pursuit.
Cybersecurity firm Resecurity attributed both operations to the Smishing Triad, a transnational fraud network with confirmed activity in over 121 countries.
The Cybercrime Combating Department reported protecting KD 4 million (approximately $13 million USD) in citizen funds targeted in related December 2024 operations, and an additional KD 1 million ($3.2 million USD) during January through May 2025. The total KD 5 million in protected funds establishes the financial scale of the rogue BTS threat to Kuwaiti banking customers.
The August operation was the first confirmed instance of CITRA directly triggering a major cybercrime enforcement operation through its own monitoring capabilities - a concrete operational output of the DPPR Decision 26/2024 framework functioning as intended.
Operation One: The Farwaniya Cell (February 13, 2025)
The first operation unfolded on February 13, 2025, when Kuwait’s Cybercrime Combating Department began receiving concurrent alerts from multiple Kuwaiti telecom companies and banking institutions.
The alerts described an anomalous pattern of SMS messages appearing to originate from official bank sender IDs but containing phishing links directing recipients to credential-harvesting pages.
The volume and geographic clustering of complaints pointed to a localized emission source rather than a conventional internet-based smishing campaign operating from overseas infrastructure.
A rogue BTS - also known as an IMSI catcher or “stingray” device - works by broadcasting a cell tower signal stronger than legitimate towers in the vicinity. Mobile phones within range automatically connect to the strongest available signal without any user action or authentication requirement on the device side. Once connected, the rogue BTS can intercept unencrypted SMS traffic passing through it and, more relevantly in this case, inject arbitrary SMS messages directly into connected handsets with any sender ID the operator chooses to configure.
The spoofed sender ID is indistinguishable from a legitimate bank message in the recipient’s message thread, appearing alongside genuine historical communications from the same institution.
Signal-tracking operations by the Cybercrime Combating Department located the rogue BTS emission source to a vehicle circulating through the Farwaniya area of Kuwait City. The vehicle was stopped and a six-person crew of Chinese nationals was arrested. Biometric scanning during the arrest process revealed that the individuals were carrying forged identity documents and falsified residency records.
The investigation subsequently identified a Kuwaiti citizen and an Egyptian expatriate who were arrested separately on charges of visa trafficking - indicating that the cell had an established support network facilitating their presence in Kuwait on fraudulent documentation.
The equipment seized from the vehicle included the BTS hardware itself, alongside a laptop infrastructure used to manage the injection campaigns, databases of mobile numbers acquired from previous smishing operations in the region, and logs suggesting the cell had been operational for a period preceding the February 13 arrests.
The Cybercrime Combating Department noted that its intervention had protected KD 4 million (approximately $13 million USD) in citizen funds that had been targeted in related December 2024 operations, and an additional KD 1 million (approximately $3.2 million USD) protected during the January through May 2025 period, figures that establish the scale of the financial exposure that rogue BTS operations represent to Kuwaiti banking customers.
Resecurity’s attribution of the February cell to the Smishing Triad is consistent with the operational profile of that network, which has been documented operating rogue BTS hardware from vehicles in multiple countries across Europe, Asia, and the Middle East.
The Smishing Triad is not a single organization in the conventional sense but rather a loosely federated criminal ecosystem that provides shared technical infrastructure - including BTS hardware, phishing page templates, and stolen data aggregation services - to criminal cells operating in various countries under localized targeting parameters.
The Kuwait operation’s targeting of Kuwaiti-specific bank brands and the use of Arabic-language phishing pages calibrated to Kuwaiti financial institutions suggests either a sophisticated localization capability within the Smishing Triad ecosystem or the engagement of local criminal partners with knowledge of the Kuwait banking landscape.
Operation Two: The Salmiya Cell (August 10, 2025)
The August 10, 2025 operation differed from its February predecessor in one significant and consequential respect: it was initiated not by alerts from telecom companies or banks, but by CITRA’s own network monitoring systems detecting suspicious intrusions into Kuwait’s telecommunications networks. CITRA filed a formal report with law enforcement based on its own technical detection, and the resulting signal-tracking operation located a vehicle in the Salmiya district of Kuwait City operating rogue BTS hardware.
The arrest of the two Nigerian nationals operating the August cell was complicated by an active flight attempt - the driver of the vehicle attempted to flee when approached by authorities, resulting in a collision with other vehicles before the cell was successfully apprehended. The rogue BTS equipment was seized, and the investigation established that the August cell had been targeting telecom customers in the Salmiya area in a pattern consistent with the February operation: spoofed bank SMS messages directing recipients to credential-harvesting infrastructure.
The significance of the August operation lies in what it reveals about the maturation of Kuwait’s regulatory and enforcement posture. CITRA’s ability to independently detect unauthorized intrusions into telecom network infrastructure and translate that detection into an actionable law enforcement referral represents exactly the kind of proactive regulatory function that its recent governance framework was designed to enable.
The DPPR Decision 26/2024, which mandated 24-hour breach notification obligations for telecommunications operators effective January 1, 2025, had created new reporting channels and presumably enhanced information-sharing protocols between CITRA and the Cybercrime Combating Department. The August operation can reasonably be read as the first concrete operational output of that enhanced regulatory framework functioning as intended.
The choice of Salmiya as the operational area for the August cell is worth noting from an intelligence perspective. Salmiya is one of Kuwait’s most densely populated commercial and residential districts, with a high concentration of expatriate residents who may be less familiar with specific Kuwaiti banking security conventions and therefore more susceptible to convincingly spoofed SMS messages appearing to originate from their banking institutions.
The geographic targeting of the cell suggests either operational intelligence about victim demographics or a systematic approach to maximizing the density of potential victims per hour of rogue BTS operation.
Technical Anatomy of the Rogue BTS Attack
The rogue BTS attacks documented in Kuwait exploit a fundamental architectural weakness in the 2G (GSM) mobile network protocol that has been understood by security researchers since the early 2000s but has never been fully remediated due to the cost and complexity of legacy network upgrades. GSM does not implement mutual authentication between mobile devices and base stations - a handset will connect to any tower broadcasting the right network identifiers at sufficient signal strength without verifying the tower’s legitimacy.
This design decision, made when the primary concern was call quality rather than security, created a permanent attack surface that portable hardware costing a few thousand dollars can exploit.
Modern 4G LTE and 5G networks implement substantially stronger authentication mechanisms that make full IMSI catcher attacks significantly more difficult, though not impossible.
However, many devices and many carriers in the region continue to fall back to 2G for SMS delivery even in areas with 4G coverage, a legacy compatibility mechanism that preserves the attack surface for rogue BTS operations. Attackers operating the hardware documented in the Kuwait cases did not need to defeat 4G security - they only needed to be more attractive to handsets than the weakest available signal in their operational area, which in practice means broadcasting at sufficient power to pull nearby devices onto their 2G-emulated network for the duration of SMS injection.
The smishing payload itself - the fraudulent SMS message - typically directs the recipient to a phishing page designed to harvest banking credentials, one-time passwords, or card numbers. The sophistication documented in the Smishing Triad’s operations includes real-time OTP relay infrastructure that allows the operator to use harvested credentials immediately, before the victim has time to detect the fraud and contact their bank.
In the Kuwait cases, the banks’ fraud monitoring systems appear to have been an important detection layer, as the initial alerts that triggered the February investigation came from the banks themselves observing anomalous credential use patterns consistent with a phishing campaign targeting their customers in a specific geographic area.
For organizations operating in Kuwait, the rogue BTS threat model has direct implications for SMS-based authentication systems. Any organization that relies on SMS-delivered one-time passwords as a factor in multi-factor authentication for employee access, customer login, or transaction authorization is exposed to the scenario documented in these Kuwait cases, where a rogue BTS can intercept and relay OTPs in real time.
The National Institute of Standards and Technology has for years recommended against SMS as an authentication factor precisely because of this vulnerability, and the documented Smishing Triad operations in Kuwait provide a vivid regional illustration of why that guidance exists. Organizations should be accelerating migration from SMS OTP to authenticator application-based or hardware token-based second factors for any access path involving sensitive systems or financial transactions.
Regulatory Framework and CITRA’s Evolving Role
Kuwait’s primary legal instrument for cybercrime is Law No. 63/2015, the Cybercrime Law, which establishes criminal penalties for unauthorized access to computer systems and networks, data interception, and electronic fraud. The operation of rogue BTS hardware for the purpose of intercepting SMS traffic and injecting fraudulent messages falls squarely within the unauthorized access and interception provisions of Law 63/2015, and the arrests in both the February and August operations were processed under its authority.
Maximum financial penalties under the law reach KWD 20,000, though the criminal proceedings in cases of this severity typically emphasize custodial sentences rather than fines, and the deportation of foreign nationals after sentence completion is the standard outcome for cases involving non-resident criminal actors.
CITRA’s DPPR Decision 26/2024 is the more operationally significant recent development in Kuwait’s cybersecurity governance posture. Effective January 1, 2025, the decision mandated that telecommunications operators report security breaches to CITRA within 24 hours of detection. This notification requirement creates two important operational dynamics.
First, it compels telecom operators to invest in detection capabilities sufficient to identify breaches quickly, since the clock starts running from detection rather than from occurrence. Second, it creates a centralized information flow to CITRA that enables the regulator to correlate signals across multiple operators - a capability that is critical for detecting rogue BTS operations, which affect all operators whose customers are within the device’s range simultaneously.
The August 2025 operation demonstrated this correlation capability in practice. CITRA’s ability to independently detect suspicious intrusions into telecom networks suggests that the regulator has developed or deployed monitoring infrastructure that goes beyond receiving operator notifications - it implies active visibility into telecom network anomalies that can be generated without waiting for an operator to identify and report a breach.
This represents a significant maturation of Kuwait’s regulatory enforcement posture and positions CITRA as an active operational participant in cybercrime response rather than a passive recipient of compliance reports.
For telecommunications operators in Kuwait, the DPPR Decision 26/2024 framework creates concrete compliance obligations with real enforcement consequences. The 24-hour notification window is demanding - it requires not just incident detection but also internal triage, escalation, and regulatory reporting within a single business day.
Organizations that have not invested in the Security Operations Center capabilities, automated anomaly detection, and pre-drafted regulatory notification templates necessary to meet this timeline are exposed to regulatory sanctions in addition to the customer and reputational harm that follows a smishing incident. The Kuwait cases suggest that CITRA has both the technical visibility and the institutional willingness to hold operators accountable when their networks are being used as attack infrastructure against their customers.
Pattern Recognition: The Smishing Triad’s Gulf Expansion
Resecurity’s documentation of Smishing Triad activity in 121 countries places the Kuwait operations within a global pattern of rogue BTS deployment that has accelerated significantly since 2023. The availability of relatively affordable BTS hardware through gray market channels, combined with the persistent GSM vulnerability that enables the attack, has lowered the barrier to entry for criminal cells willing to operate what is essentially a physical piece of telecommunications infrastructure in a moving vehicle.
The operational security requirements are manageable - keep the vehicle moving to avoid triangulation, use the hardware for short deployment windows, and have false documentation prepared in the event of a traffic stop.
The Gulf region presents specific characteristics that make it an attractive operational environment for Smishing Triad-affiliated cells.
High smartphone penetration rates, high per-capita banking engagement including active mobile banking use, large expatriate populations with established banking relationships who may be less familiar with specific fraud indicators, and dense urban environments where a single vehicle can cover populations of hundreds of thousands within a short operational window all contribute to the potential yield of a rogue BTS operation in Kuwait, the UAE, or Qatar compared to many other operational environments.
The use of members from different nationalities across the two Kuwait operations - Chinese nationals in February and Nigerian nationals in August - is consistent with the Smishing Triad’s documented model of recruiting operational cells from existing criminal networks in different countries and providing them with centrally-developed technical tooling and targeting databases.
The shared technical infrastructure means that law enforcement interdiction of a single cell does not disrupt the network’s overall capacity; new cells can be activated relatively quickly using the same hardware and software stack. This resilience to operational takedowns is a characteristic of franchise-model criminal networks that Kuwait’s Cybercrime Combating Department and CITRA will need to account for in their longer-term strategic response to the threat.
Effective long-term mitigation of the rogue BTS threat in Kuwait and the broader Gulf region will require a combination of technical, regulatory, and enforcement measures working in concert. On the technical side, telecom operators should be accelerating the deprecation of 2G network fallback for SMS delivery and implementing IMSI catcher detection systems in their network monitoring infrastructure.
On the regulatory side, CITRA’s demonstrated willingness to take an active enforcement role should be supported with the legal frameworks necessary to impose meaningful consequences on foreign nationals operating illegal telecommunications infrastructure. On the enforcement side, the intelligence-sharing protocols between CITRA, the Cybercrime Combating Department, and international counterparts including Interpol should be deepened to enable the kind of proactive threat intelligence that can disrupt Smishing Triad cells before they deploy hardware in Kuwait rather than after.
The two Kuwait Smishing Triad operations in 2025 demonstrate that rogue BTS smishing has moved from a theoretical threat to a documented operational reality in the Gulf.
The KD 5 million in protected funds and the eight arrests represent successful enforcement outcomes, but the underlying vulnerability in GSM network architecture that enables the attack cannot be patched without fundamental infrastructure changes. For banks, telecom operators, and any organization using SMS-based authentication in Kuwait, the documented threat should accelerate migration away from SMS OTP and investment in IMSI catcher detection capabilities.
ZERO|TOLERANCE Advisory
The Kuwait rogue BTS operations demonstrate that smishing has evolved from a remote, internet-based threat into a physical infrastructure attack that bypasses every network-level defense a telecom operator can deploy. The difference between an organization whose customers lose credentials through rogue BTS smishing and one whose customers are protected is not the security of the telecom network - it is the authentication architecture the organization chooses to deploy.
The first and most urgent control is the elimination of SMS as an authentication factor for any system involving financial transactions or sensitive data access. SMS one-time passwords delivered through a rogue BTS can be intercepted and relayed in real time, before the victim has any opportunity to detect the fraud.
The National Institute of Standards and Technology has recommended against SMS as an authentication factor since 2017. Banks, government agencies, and enterprises operating in Kuwait should migrate to authenticator application-based TOTP (such as Google Authenticator, Microsoft Authenticator, or Authy) or, for high-privilege accounts, FIDO2 hardware security keys that cryptographically bind the authentication to the legitimate service and cannot be phished or intercepted regardless of the network path.
This migration is not optional - it is the single control that renders the entire rogue BTS attack chain commercially worthless.
The second control falls on telecom operators: deploying IMSI catcher detection systems within their radio access networks. Solutions from companies such as ESD America (CryptoPhone), GSMK, or open-source projects like SnoopSnitch can detect the radio-frequency anomalies characteristic of rogue BTS operation - signal strength surges, authentication downgrades from 4G/5G to 2G, and IMSI/IMEI harvesting patterns.
Integrating these detection capabilities into the operator's network monitoring infrastructure would enable automated alerting to both the operator's SOC and CITRA when rogue BTS activity is detected, reducing the time between deployment and interdiction from days to hours.
The third control is accelerating the deprecation of 2G network fallback for SMS delivery. The entire rogue BTS attack vector exploits a fundamental weakness in the GSM protocol: the absence of mutual authentication between handsets and base stations. Modern 4G LTE and 5G networks implement substantially stronger authentication, but many devices and carriers continue to fall back to 2G for SMS delivery.
Telecom operators should work with CITRA to establish a timeline for disabling 2G SMS fallback in areas with adequate 4G/5G coverage, eliminating the protocol-level vulnerability that makes rogue BTS operations possible. The fourth control is customer security awareness: banks should deploy in-app push notification authentication instead of SMS OTP, and should educate customers that legitimate banking institutions will never send SMS messages containing links.
The fifth control is regulatory: CITRA should mandate that all telecom operators implement continuous RF monitoring for unauthorized base station emissions as a license condition, creating a detection mesh across Kuwait's mobile network coverage area.