Canada Arrests Three for Operating SMS Blaster Device in Toronto

What happened

Canadian authorities have arrested three men for operating a mobile SMS blaster device across the Greater Toronto Area in what police describe as the first such case in the country. The investigation, dubbed Project Lighthouse, began in November 2025 following tips about suspicious activity in downtown Toronto.

An SMS blaster mimics a legitimate cellular tower, causing nearby phones to automatically connect to it due to its stronger signal. Once connected, the device operators push SMS messages directly to those phones without needing phone numbers, with messages appearing to come from trusted organizations such as banks or government agencies. The messages directed recipients to phishing sites designed to capture banking credentials and passwords.

The equipment was operated from vehicles, allowing it to move across the Greater Toronto Area and reach large numbers of people in densely populated locations. Toronto Police estimate that 13 million cases of mobile network entrapment occurred during the device’s operation. Beyond the phishing risk, devices connected to the rogue station are temporarily cut off from their legitimate carrier network and unable to reach emergency services.

Searches were conducted in Markham and Hamilton on March 31, resulting in the seizure of multiple SMS blaster units and other electronic devices. Two suspects were arrested at that time and a third turned himself in on April 21.

Who is affected

Anyone within range of the device during its operation across the Greater Toronto Area was potentially exposed to phishing messages appearing to originate from banks or government entities. The 13 million entrapment figure indicates a broad affected population spanning multiple locations and time periods.

Why CISOs should care

SMS blasters remove the need for attacker infrastructure, phone number lists, or carrier access. The attack requires only physical proximity and a device that can be operated from a moving vehicle. Messages delivered this way bypass carrier-level spam filtering entirely, arrive without a traceable sender, and appear indistinguishable from legitimate bank or government alerts at the device level.

For organizations with mobile-heavy workforces or customer bases that rely on SMS for authentication or alerts, this campaign is a concrete demonstration that SMS is a fundamentally insecure channel regardless of how well the sending infrastructure is protected. The threat does not require compromising a carrier or a messaging platform.

3 practical actions

1. Accelerate the deprecation of SMS as an authentication factor: SMS-based MFA is vulnerable to SIM swapping, SS7 attacks, and now SMS blasters delivering fake OTP prompts. Migrate to app-based authenticators or hardware keys for any authentication flow where SMS is currently used.
2. Brief employees on SMS phishing lures impersonating banks and government agencies: SMS blaster campaigns specifically mimic trusted institutional senders. Train employees to treat any SMS containing a link from a financial institution or government body as suspicious and to verify through the organization’s official app or website rather than following the link.
3. Advise Android users to disable 2G network access where operationally feasible: Many SMS blaster attacks rely on forcing devices to downgrade to 2G connections. Android users can disable 2G access in network settings to reduce exposure to this attack vector, though this measure does not cover all SMS blaster configurations targeting LTE and 5G signaling.