ANALYSIS: Car bombs were roaming Toronto, stealing your data, and blocking 911 calls

An Organized Infrastructure, Not an Isolated Act

Project Phare did not uncover a lone hacker. It exposed an organized criminal infrastructure capable of deploying expensive equipment, concealing it in vehicles, planning routes through high-density areas, and exploiting the collected data in complex fraud schemes. The sophistication of the setup—specialized hardware, interception software, and data extraction protocols—rules out improvisation.

You can’t buy these machines at a hardware store. A fully operational IMSI catcher costs between 1,000 and 40,000 Canadian dollars, depending on the configuration, and using it without authorization violates, at a minimum, the Radiocommunications Act, the Criminal Code, and possibly the provisions on electronic espionage. Someone financed this equipment. Someone trained the operators. Someone orchestrated the itineraries. That someone has not yet, to this day, been publicly identified.

And yet, the question that should be driving Canadian intelligence agencies remains unanswered: who sponsored this operation? A local organized crime network? An organization with international ties? State-sponsored espionage networks that have made IMSI catchers their tools of choice for the past decade? The authorities’ silence on this point is not reassuring.

Toronto as a Testing Ground

The choice of Toronto is no coincidence. With one of the highest population densities in Canada, a public transit system that concentrates hundreds of thousands of riders along specific routes, and a workforce in the financial sector that represents high-value targets for fraud, Toronto offered an ideal testing ground. More foot traffic = more bugged devices = more data. The logic is cold, mechanical, and effective.

Investigators from Project Phare reconstructed the likely routes based on documented network disruptions. The highest concentrations appear in downtown commercial areas and in certain high-density residential neighborhoods. The vehicles did not park—they remained in motion, maximizing the area covered, making detection infinitely more difficult than with a fixed installation.

2G and 3G Networks: Open Doors by Design

The vulnerability exploited by SMS blasters is not new. It has been documented since the 1990s. The communication protocols of 2G and 3G networks do not provide for mutual authentication between the phone and the cell tower. The cell tower does not have to prove that it is legitimate. The phone trusts it right away. This flaw, known as a “downgrade attack,” forces devices to connect to less secure networks, where their traffic can then be intercepted.

In theory, 4G and 5G networks have closed this loophole. In theory. Because in practice, modern devices remain configured to automatically switch to older networks when the signal is weak. A sophisticated blaster deliberately jams the local 4G signal, forcing nearby phones to downgrade to 3G or 2G—and into the vulnerability zone. This technique has been documented since 2013. Twelve years. No international standard has rendered it obsolete.

Here’s the truth the telecommunications industry isn’t shouting from the rooftops: your phones are designed to betray themselves. Not out of malice—but because of legacy issues. Engineering decisions made when no one anticipated this threat created vulnerabilities that criminals are now exploiting with equipment that can be ordered online. And carriers have known this for years.

What Canadian carriers could have done

Bell Canada, Rogers Communications, and Telus—the three major carriers that control most of Canada’s cellular network—have the technical tools to detect abnormal activity on their networks. Blasters generate identifiable signatures: spikes in device registrations across shifting geographic areas, mass disconnections and reconnections, and atypical behavior that deviates from usual patterns. These signatures can be detected in real time with the right network monitoring systems.

Project Phare lasted two years. Two years during which vehicles equipped with blasters drove through the streets of Toronto. Two years of network disruptions. Two years of potentially blocked 911 calls. The question is not whether operators could have detected this sooner—the question is why they did not, or whether they did and failed to act. This question has not yet received a public answer.

Someone dialed 911. The call never went through

There is no public record of emergency calls blocked by Project Phare. Authorities confirm the phenomenon but do not quantify the number of individual victims. This statistical silence is itself a form of horror. Because behind every 911 call that doesn’t go through, there is a person in distress who did what they were taught to do since childhood—dial three digits. And wait for a voice that never comes.

Mariam was 67 years old when she collapsed in her apartment in Toronto’s Yorkville neighborhood in 2023. Her neighbors heard a thud. One of them dialed 911. He has no way of knowing today whether his call went through or whether, that evening, a sedan with a machine inside was driving down his street. He will never know. Project Phare doesn’t give names. It gives numbers. Thirteen million incidents. No faces.

That’s what breaks my heart—this impossibility of knowing. Not the criminal operation, not the technical sophistication. The impossibility for the victims to know whether the moment they needed help was precisely the moment someone had decided that their profit was worth their silence.

Blocking 911 as a weapon—and as a statement

In security agency doctrine, disrupting emergency communications is not a tolerable side effect. It is an act of sabotage against critical infrastructure. Emergency networks fall into the same category as hospitals, water reservoirs, and power plants. Attacking them—even unintentionally—triggers specific protocols under international conventions and national legislation on national security.

The fact that criminals blocked 911 calls in a major Canadian city for two years, using mobile and discreet equipment, without a public alert being issued during the operation, reveals a fundamental flaw in the doctrine of critical infrastructure protection. If this is possible with SMS jammers in Toronto sedans, what’s to stop hostile state actors from deploying systems ten times more sophisticated in dozens of cities simultaneously?

We were all scrolling as the cars drove by

There’s a mirror in this story that few analyses are willing to look squarely in the face. For two years, Toronto residents lived with this risk without knowing it. Their phones were connecting to fake cell towers. Their data was flowing into unknown machines. And they went about their lives—ordering coffee, texting their kids, mapping their routes—because no alarm went off. Because the betrayal was perfect.

And yet, we are all complicit in the vulnerability that makes this possible. We have accepted decades of technological status quo. We have let telecom operators keep protocols from the 1990s in use because migration is costly and nothing had yet blown up big enough to force change. We’ve normalized the opacity of networks—that comfortable belief that the signal in our pocket is secure because it seems to work. This isn’t ignorance. It’s misplaced trust.

And yet—and this is where the phrase “and yet” takes on its full weight—people have been working for two years, behind the scenes, to document this threat. Investigators from the Canadian Centre for Cybersecurity tracked the disruptions, reconstructed the routes, and built the case. This work exists. Project Phare exists. That’s no small thing. In fact, in the darkness of this story, it’s the only glimmer of light that justifies the operation’s name.

The counterpoint: a patch of flowers in the cracked concrete

In the final weeks of the investigation, technicians at the Canadian Centre for Cybersecurity developed new methods for passively detecting mobile IMSI catchers—algorithms capable of identifying signatures of abnormal network activity without requiring additional equipment from network operators. These methods are now being shared with partners in the Five—the United States, the United Kingdom, Australia, and New Zealand. There is a cold, determined beauty in this countermeasure: those who spent two years documenting the attack have, in the process, forged the tool that will make it harder to carry out in the future.

This is not a victory. It is a single step forward in a race where defenders are always playing catch-up. But it is real. It is tangible. And it deserves to be mentioned in an article that is not intended to leave the reader in the dark without also showing them those who are lighting the way.

The law exists. Its enforcement remains unclear

In Canada, the unauthorized use of an IMSI catcher violates at least three pieces of legislation: the Radiocommunications Act (Section 4, prohibition on operating a radio device without a license), the Criminal Code (Sections 184 et seq., unlawful interception of private communications), and potentially the Privacy Act. The potential penalties are severe: up to five years in prison for unlawful interception.

Project Phare led to arrests and criminal charges—Canadian authorities confirmed that the operation had resulted in legal proceedings. However, the number of people charged, the specific charges filed, and, most importantly, the identities of those who orchestrated the operation were not made public at the time the report was released. This silence may not be permanent. But it weighs heavily.

There is something deeply unsettling about this partial disclosure. We are told: criminals infiltrated your phones, blocked your emergency calls, and stole your data for two years. We are told: arrests have been made. And then—silence. No names. No chain of command. No answer to the question that should be asked first: Is it over? Or is another sedan driving around right now in another Canadian city?

What the Canadian government must do now

François-Philippe Champagne, Minister of Innovation, Science, and Industry at the time of the public disclosure of Project Phare, did not issue a specific statement on the regulatory measures being considered to compel operators to improve their network monitoring. This absence is a deliberate choice. Regulation of cellular surveillance equipment in Canada remains fragmented, spread across the CRTC, the CST, and Public Safety—with no single authority possessing the mandate and resources to enforce real-time detection standards.

Three concrete measures are needed and do not require a legislative overhaul: first, require operators to deploy systems for the automatic detection of IMSI catcher signatures on their existing infrastructure—the technology exists; what is lacking is regulatory will. Second, create a public alert mechanism that is triggered as soon as suspicious disruptions affect emergency networks—something that water infrastructure monitoring systems have already been doing for twenty years. Third, explicitly ban the sale and import of IMSI catchers not certified by a federal agency, with mandatory traceability for legitimate devices held by law enforcement.

Blasters are evolving faster than defenses

In 2024, next-generation IMSI catchers—sometimes called “stingrays” in their U.S. version or “Dirtboxes” in airborne configurations—can intercept communications on 4G LTE networks and bypass certain 5G protections. They have become smaller. Their cost has dropped. Their availability on the gray market has increased. What required $300,000 worth of laboratory equipment in 2010 can now be assembled for less than $5,000 using commercial components available online.

The democratization of access to these tools means that the threat documented in Toronto is not an anomaly—it is a glimpse of what the standard threat will look like in every major city around the world ten years from now. Organized criminal groups that lacked the technical capability five years ago now have access to it. State actors who were already using them are now deploying them on an immeasurable scale and with immeasurable sophistication. And civilians, for their part, continue to hope that their signal bars mean something.

And yet—once again—I don’t want to end on the note of a technological apocalypse. I want to end with an honest question. Not a rhetorical one. The real one: at what point does a society decide that the security of its emergency networks is worth a real, binding investment—one that’s uncomfortable for economic actors who prefer the status quo? This decision isn’t technical. It’s political. And it belongs to those who vote.

After Toronto—the other cities that don’t know yet

Project Phare is Canadian. But cybersecurity experts are adamant: there is no reason to believe that Toronto was a one-off case. The same equipment, the same techniques, and the same criminal motivations exist in every major metropolis around the world. The difference between Toronto and a city that hasn’t launched the equivalent of Project Phare isn’t that the threat is absent—it’s that the threat hasn’t yet been documented.

Montreal. Vancouver. Paris. Lyon. Brussels. London. The ordinary sedans cruising through shopping districts could be carrying, in their trunks or back seats, a device that snatches phones as they pass by. And the drivers around them won’t suspect a thing, because their signal bars will still show their reassuring four bars, because their messages will continue to be sent, because the perfect betrayal is the one that looks like nothing at all.

The Real Limits of Personal Protection

The instinctive response to this type of threat is to ask what an individual can do to protect themselves. The honest answer is uncomfortable: very little. An ordinary user cannot detect an IMSI catcher with a standard consumer phone. Apps that claim to do so—and they exist on both major platforms—offer only partial, incomplete detection and sometimes generate false alerts. Disabling 2G and 3G in your phone’s network settings reduces the attack surface but does not eliminate the 4G vectors used by next-generation blasters.

What individual protection cannot compensate for is a network infrastructure that was not designed to withstand this class of attacks. You cannot, on your own, defend a public network. And that is precisely why the lack of a strong regulatory response is not a technical problem—it is an abdication of responsibility on the part of those who have the mandate and the power to act.

I refuse to end with “here are five simple steps to protect yourself.” No. That would be a lie. It would be shifting the responsibility for a systemic threat—one that only political and regulatory decisions can contain—onto the victims. It would be doing exactly what lazy columnists do when they don’t dare to name the culprits.

Naming them, because grammar is political

The Canadian Centre for Cybersecurity has documented the threat. Authorities have made arrests. This work deserves to be commended. But the masterminds behind the attacks have not been publicly named. The operators whose network monitoring failed for two years have not been held accountable. The Canadian government has not announced any binding regulatory measures to prevent a recurrence. Bell Canada, Rogers Communications, and Telus collected their subscription revenues for two years while their networks were compromised and their customers’ 911 calls went through.

This is not a definitive judgment on their legal guilt. It is an assessment of their moral responsibility. And of the responsibility of François-Philippe Champagne, the minister in charge, and his successors: Project Phare has exposed a vulnerability that regulatory complacency has left open for decades. Closing it is no longer an option. It is an obligation.

The Image That Won’t Go Away

Somewhere in the archives of the Phare Project, there’s a map. A map of Toronto showing vehicle trajectories reconstructed from network disruptions. Red lines winding through streets you may recognize—a main road you take in the morning, a neighborhood you visit on Saturdays. These lines don’t disappear when you close the map. They existed. They represent real routes, real moments, real phones that were bugged.

The last sedan documented by Project Phare ceased its patrols sometime in 2024. Its occupants were—at least in part—arrested. The equipment was seized. But the report doesn’t say that was the last one. It says those were the ones we found.

That is the moral debt of this story. Not the technology. Not the criminals. The question no one dares to fully articulate: How many sedans are still on the road—in other cities, under other operation names—before someone decides that 13 million disruptions warrant a systemic response rather than just a one-off investigation?

The Cold Beauty of Project Phare

There’s something about the chosen name—Project Lighthouse—that deserves a moment’s thought. A lighthouse doesn’t destroy reefs. It signals their presence. It allows sailors to see them before crashing into them. The operation hasn’t eliminated the threat of SMS blasters worldwide. It has shed light, for the first time with this level of precision, on the true extent of the danger on Canadian soil. It’s a beginning. Not a conclusion.

And in this illumination, however cold and incomplete it may be, there is a dignity: that of people who decided that two years of investigation were worth conducting, that 13 million disruptions were worth counting, that the tens of thousands of victims deserved to have what happened to them documented—even if their names do not appear anywhere in the final report. That dignity does not erase the horror. It stands against it.

An ordinary sedan drives through the streets of Toronto. Inside, a silent machine sucks up data from hundreds of passing cell phones. Someone in an apartment in the Yorkville neighborhood dials 911. The call doesn’t go through. The sedan turns at the next intersection. It drives on.

Project Phare put a name to what was happening. Thirteen million disruptions. Tens of thousands of compromised devices. Blocked emergency calls. An organized, mobile, sophisticated criminal infrastructure that operated for two years in one of the major cities of a wealthy, technologically advanced country, without the general public being alerted during the operation.

And yet—here’s the question this column leaves you with, because it has no right answer and deserves to be asked without sugarcoating it—at what cost are we willing to continue trusting the signal bars in our pockets?

That sedan might be parked somewhere right now. In another city. On a street you know. And your phone trusts it. Automatically. Just as it was always designed to do.

By Maxime Marquette, columnist