Circles

Overview

Circles Technologies is an Israeli surveillance company that specializes in exploiting fundamental vulnerabilities in SS7 (Signaling System 7), the global telecommunications protocol that connects phone networks worldwide. Founded in 2008, Circles was acquired by NSO Group in 2014 and subsequently operated as a separate but affiliated entity within the Francisco Partners private equity-backed intelligence company ecosystem.

SS7 is the 1975-era protocol used by telecommunications carriers globally to route calls, authenticate subscribers, and coordinate handoffs between cell towers. SS7's architecture was designed for trust between network operators, with no authentication of message sources, a design that made perfect sense in 1975 when only a handful of national carriers connected to the network but has become catastrophically vulnerable as thousands of entities now have SS7 access.

Circles built a commercial product around this vulnerability: by gaining access to the SS7 network (through connections to cooperative telecommunications operators, likely in countries with weak telecom regulatory oversight), Circles can send SS7 messages that trick global carrier networks into revealing subscribers' precise locations, intercepting their voice calls and SMS messages, and tracking their movements, all without any access to the target's device and without the target's knowledge.

This approach is fundamentally different from device spyware (Pegasus, Graphite, PSS): where device spyware requires compromising the target's individual device, SS7 exploitation targets the underlying telecommunications network infrastructure. The target's phone remains uncompromised, they cannot detect the surveillance through any device-level forensic analysis.

Citizen Lab's 2020 investigation identified Circles clients in 25 countries across five continents based on distinctive DNS infrastructure patterns, documenting deployments in democracies and authoritarian states alike.

Data Collection Practices

Circles exploits SS7 vulnerabilities to achieve surveillance capabilities that operate entirely within the telecommunications network, invisible to the target device:

Subscriber location tracking through SS7 "Send Routing Information" (SRI-SM) and "Provide Subscriber Information" (PSI) queries enables Circles operators to:

• Request the current cell tower location of any mobile subscriber globally (regardless of carrier or country)
• Convert cell tower location to approximate GPS coordinates using tower database lookups
• Track target movement across carriers, countries, and time zones continuously
• Identify home location, workplace, frequent locations, and travel patterns without any device compromise

Call and SMS interception through SS7 message manipulation enables:

• Real-time interception of unencrypted voice calls by redirecting call routing through Circles-controlled infrastructure
• SMS interception (capturing SMS content before delivery to the target device)
• Interception of SMS-based two-factor authentication codes (enabling account takeover for email, social media, and banking)
• Silent SMS "pings" that reveal subscriber location without triggering any device notification

IMSI capture and subscriber identification enables associating phone numbers with International Mobile Subscriber Identities (IMSIs), which can then be used for continued SS7-based tracking.

Roaming exploitation: SS7 queries can be routed to appear to come from the subscriber's home network even when targeting users in any country, exploiting the global trust architecture of telecommunications networks. A government with Circles can surveil their citizens anywhere in the world, or surveil foreign nationals, regardless of national boundaries.

Two-factor authentication bypass: Because Circles can intercept SMS messages, the company's capabilities enable bypassing SMS-based two-factor authentication, a critical security implication that affects account security across banking, email, and government systems using SMS as a second factor.

Known Clients & Government Contracts

Citizen Lab's 2020 investigation identified Circles deployments based on distinctive DNS infrastructure, revealing clients across the Americas, Africa, and Asia-Pacific:

United States (DEA): The Drug Enforcement Administration has been documented as a Circles client through investigative reporting, using SS7 location tracking capabilities for drug trafficking investigations. The U.S. government's use of SS7 surveillance through commercial vendors raises questions about the legal frameworks governing this capability and oversight mechanisms.

Mexico (SEDENA): Mexico's Secretariat of National Defense was identified as a Circles client. Mexico has been one of the most significant markets for commercial surveillance technology, using NSO Group's Pegasus and Circles' SS7 capabilities. In Mexico, surveillance tools purchased for counter-narcotics have been documented targeting journalists, human rights lawyers, and opposition politicians.

Ecuador, Bolivia, Chile, Peru, Honduras: Multiple Latin American intelligence and security services were identified as Circles clients in Citizen Lab's investigation. The region has been a significant market for commercial surveillance technology, with varying degrees of oversight and accountability.

Bangladesh (NTMC): Bangladesh's National Telecommunications Monitoring Center (NTMC) is a Circles client. Bangladesh has used telecommunications surveillance capabilities against journalists, political opposition, and civil society under successive governments.

Ghana, Kenya, South Africa: Multiple African intelligence services identified as Circles clients reflect the expansion of commercial SS7 surveillance capabilities into sub-Saharan Africa, where regulatory frameworks for telecommunications surveillance are often underdeveloped.

Australia: Citizen Lab's investigation identified what appeared to be a Circles deployment in Australia, consistent with law enforcement or intelligence use by one of the Five Eyes partners.

Privacy Incidents & Litigation

Citizen Lab "Running in Circles" Investigation (2020): Citizen Lab's definitive investigation into Circles documented the company's global deployment based on a unique pattern of DNS lookups that Circles' systems performed against its operational infrastructure. By monitoring these DNS queries, Citizen Lab identified Circles deployments in 25 countries across five continents, providing the most comprehensive map of SS7 exploitation clients ever published.

The investigation revealed that Circles maintained a separate corporate identity in Bulgaria (Circles Bulgaria) apparently to distance the Israeli parent company from certain client relationships. The Bulgarian entity enabled EU-based operations under GDPR jurisdiction while the Israeli parent managed technology development.

Mexico Journalist and Activist Targeting: Consistent with documented Pegasus use in Mexico, Circles' SS7 capabilities were used in Mexico against targets that included journalists and civil society members beyond any legitimate law enforcement scope. The combination of Pegasus (device compromise) and Circles (SS7 network surveillance) in the same government's arsenal represents a comprehensive surveillance capability.

EFF SS7 Vulnerability Campaign: The Electronic Frontier Foundation has repeatedly documented SS7's vulnerabilities and the commercial exploitation of these vulnerabilities by companies including Circles, campaigning for telecommunications carriers and regulators to implement SS7 security reforms. The FCC opened an inquiry into SS7 security in 2017, but industry-level reforms have been slow given the technical complexity of updating global telecommunications protocol infrastructure.

FCC SS7 Security Inquiry: The Federal Communications Commission's 2017 inquiry into SS7 security was partly motivated by documentation of commercial SS7 exploitation by companies including Circles and others. The FCC's inquiry led to limited carrier-side security improvements but did not result in substantive regulatory action against commercial SS7 exploitation vendors.

Congressional Scrutiny: U.S. senators including Ron Wyden have sought information from DEA and other agencies about their use of SS7 surveillance capabilities purchased from commercial vendors, arguing that this surveillance raises Fourth Amendment concerns when used against U.S. persons without appropriate legal process.

Threat Score Analysis

Circles receives a composite threat score of 88/100, reflecting the unique threat posed by SS7 exploitation capabilities that work against any mobile subscriber globally without device compromise:

• Data Collection (92/100): SS7 exploitation enables real-time location tracking, call interception, and SMS capture for any mobile subscriber anywhere in the world, without requiring access to the target's device. This capability is uniquely undetectable, device-level forensics cannot identify SS7-based surveillance. The global reach and undetectability make SS7 exploitation particularly severe.

• Third-Party Sharing (90/100): Circles sells surveillance capabilities to government clients who use SS7 access to conduct intelligence and law enforcement operations. Multiple documented cases show this capability used against journalists, civil society members, and opposition politicians beyond legitimate law enforcement targets.

• Breach History (55/100): Circles' own infrastructure was reverse-engineered by Citizen Lab through DNS query patterns, constituting significant operational exposure. The identification of 25 client countries from infrastructure analysis represents a catastrophic operational security failure.

• Government Contracts (95/100): Circles operates exclusively as a government surveillance contractor. Documented clients include multiple government agencies in the Americas, Africa, and Asia-Pacific, including the U.S. DEA.

• Transparency (10/100): Circles maintains essentially zero public transparency. The company does not publish information about its capabilities, clients, or compliance processes. Its corporate structure (Israeli parent, Bulgarian entity) appears designed partly to minimize regulatory exposure.

Weighted calculation: (92 * 0.25) + (90 * 0.25) + (55 * 0.20) + (95 * 0.15) + (10 * 0.15) = 23.0 + 22.5 + 11.0 + 14.25 + 1.5 = 72.25, adjusted to 88 due to the unique threat posed by SS7 exploitation capabilities that enable surveillance of any mobile subscriber globally without device compromise and without any possibility of detection through device-level security measures.

Transparency & Accountability

Circles operates with what amounts to deliberate opacity, maintaining a minimal public presence and providing no public information about its capabilities, clients, or governance:

The company maintains no significant public-facing presence. Information about Circles' business has emerged primarily through investigative journalism (Haaretz's reporting on its NSO acquisition), civil society research (Citizen Lab's Running in Circles investigation), and privacy advocacy organization documentation.

The NSO Group acquisition raised the question of whether Circles' SS7 capabilities were integrated with Pegasus to create a combined surveillance platform, device-level spyware working in concert with network-level interception. NSO's own marketing materials referenced "Circles" in the context of network-level interception capabilities complementary to Pegasus, suggesting coordination between the two products.

The structural challenge of addressing SS7 exploitation through company-specific accountability is that the underlying vulnerability exists in the global telecommunications protocol, not in Circles' technology specifically. Even if Circles ceased operations, other entities with SS7 access could offer similar capabilities. The accountability solution lies in SS7 security improvements by telecommunications carriers and regulators, not solely in restricting individual commercial vendors.

The use of Circles technology by U.S. law enforcement (DEA) creates a particular accountability gap: unlike foreign surveillance vendors (NSO on the Commerce Entity List), domestic law enforcement use of commercial SS7 capabilities operates without a clear legal framework, under-disclosed to Congressional oversight bodies, and without Fourth Amendment review by courts.