In recent months, a multinational investigation known as Surveillance Secrets has exposed one of the most pervasive and under-reported location-tracking operations in the world. Central to the story is an obscure company named First Wap, whose surveillance toolkit, Altamides, allegedly enabled the tracking of world leaders, journalists, corporate figures, and private individuals with extraordinary precision. The scope of this system and its implications for privacy, accountability, and regulation are significant.
This article explores the key revelations, the technology involved, and the legal and ethical questions raised by this investigation.
From SMS Provider to Global Surveillance Vendor
First Wap, formally registered in Jakarta, Indonesia, began in the late 1990s as an SMS service provider. Over time, the company shifted its business model, becoming a developer of cyber-surveillance tools. Its primary product, Altamides, reportedly allows real-time geolocation, message interception, and access to encrypted messaging platforms such as WhatsApp. Despite its global reach, the company remained largely off the radar until investigative journalists uncovered a dataset containing over one million logged location-tracking operations stored on the deep web.
The transformation from communication provider to surveillance vendor illustrates the ease with which ordinary technology companies can pivot into areas with serious implications for privacy and security. First Wap’s presence at international surveillance technology trade shows facilitated its visibility among governments and corporate actors seeking such tools.
Undercover Reporting and Data Forensics
The Surveillance Secrets investigation combined undercover reporting with forensic data analysis and in-depth interviews to trace First Wap’s operations. A key breakthrough occurred at the ISS World surveillance-technology trade fair in Prague, where undercover journalists posed as representatives of a private mining company interested in tracking environmental activists. During discussions with First Wap executives, the journalists learned that Altamides was highly capable and flexible, able to achieve ambitious surveillance goals. Executives acknowledged the legal risks of their technology while offering ways to navigate or mitigate them.
These interactions highlighted both the sophistication of the surveillance toolkit and the willingness of the company to market it to clients with potentially questionable intentions.
Technical Capabilities of Altamides
Investigative reporting revealed that Altamides could perform real-time geolocation by querying telecom networks through vulnerabilities in the Signalling System 7 (SS7) protocol, which underpins call and text message routing. The system is also reported to allow interception of SMS messages, giving clients access to communications that may include sensitive two-factor authentication codes. Perhaps most controversially, Altamides can allegedly access WhatsApp messages despite the platform’s end-to-end encryption. Internal communications indicate that the system can bypass certain regulatory constraints by routing contracts through jurisdictions with lax oversight, effectively enabling clients to avoid scrutiny.
The combination of active interception and advanced geolocation capabilities represents a level of access historically reserved for state intelligence agencies, yet First Wap appears willing to provide it to private clients.
Profiles of Those Targeted
The dataset uncovered by journalists included over 14,000 phone numbers in more than 160 countries. Targets ranged from state actors and business leaders to journalists and ordinary individuals. Among those identified were Italian investigative journalist Gianluigi Nuzzi, American journalist and former CIA officer Adam Ciralsky, former Qatari Prime Minister Hamad bin Jassim bin Jaber Al Thani, and Syrian First Lady Asma al-Assad. Even public figures such as actor Jared Leto were reportedly included.
The diversity of targets demonstrates that such surveillance technology is not limited to combating terrorism or serious crime but is accessible to actors seeking commercial, political, or personal advantage. This revelation underscores the ethical and legal dilemmas surrounding commercial surveillance.
First Wap’s Public Response
Following the exposure, First Wap publicly denied any wrongdoing. The company emphasized that it only sells products to governments or government-like entities and that clients are vetted for compliance with relevant export regulations. First Wap maintained that it does not operate surveillance directly on individuals and that routing agreements through other jurisdictions are standard business practices rather than a means of evading the law. Despite these statements, the undercover footage and internal documents suggest that the company was aware of potential misuse while actively facilitating access to its tools.
The Global Surveillance Industry and Regulatory Gaps
The First Wap case highlights a broader, largely unregulated global surveillance industry. Trade fairs such as ISS World serve as venues for companies to market software capable of interception, geolocation, and other forms of surveillance to a wide range of clients, including foreign governments, private firms, and intelligence agencies. The prevalence of location-data companies, such as Anomaly Six in the United States, further demonstrates the pervasiveness of location-tracking technology, even when collected for commercial purposes.
Regulatory frameworks struggle to keep pace with the technological sophistication of surveillance tools. European Union legislation, for instance, restricts spyware use to serious crime cases with judicial oversight, but enforcement is limited. Civil society organizations note that vague definitions and fragmented regulations make it difficult to hold vendors accountable and to prevent misuse.
Ethical Implications and Societal Risks
The revelations surrounding First Wap raise profound ethical questions. The ability to track an individual’s location, read private messages, or access encrypted communication threatens the right to privacy. Surveillance of journalists, political dissidents, or activists can create a chilling effect, undermining freedom of expression and the press. The lack of transparency surrounding sales, clients, and operational practices further complicates efforts to ensure accountability. Additionally, evidence that the company may facilitate circumvention of export restrictions underscores the risk that surveillance technologies could be misused for political or corporate gain.
Legal Considerations and Compliance Challenges
The legal landscape surrounding surveillance technology is complex. Unauthorized exploitation of SS7 vulnerabilities may constitute a violation of telecom regulations in multiple jurisdictions. Privacy laws, including the European Union’s General Data Protection Regulation, impose strict restrictions on the collection and use of personal data without consent. Surveillance tool vendors may also be subject to export control regulations, which treat certain technologies as dual-use goods. Even if clients misuse tools, companies may still bear legal responsibility, particularly if they facilitate or encourage unlawful activity.
Comparisons with Other Surveillance Scandals
First Wap’s activities are reminiscent of other notable surveillance incidents. NSO Group’s Pegasus spyware allowed governments to infect the mobile devices of journalists, activists, and political figures, revealing the dangers of commercially available intrusion software. Location-data firms such as Anomaly Six collect telemetry data from consumer applications, highlighting another dimension of pervasive tracking. The use of fake base stations, or IMSI-catchers, in countries such as Norway demonstrates that government-led surveillance of leaders is an ongoing concern. What distinguishes First Wap is its combination of commercial accessibility, active interception, and sophisticated geolocation capabilities.
Reactions and Potential Implications
The exposure of First Wap has prompted swift reactions from the telecommunications sector and civil society. Some network operators have reportedly severed ties with the company, while advocacy groups are calling for stricter oversight and regulation of surveillance technology. Policymakers are likely to examine current export controls and licensing requirements to prevent abuse. Legal challenges may also arise if victims of surveillance pursue recourse, though cross-border jurisdiction and anonymity of data create significant obstacles.
Significance of the YouTube Exposé
The video titled “This Secret Tech Tracked World Leaders, a Vatican Enemy” provides a public window into the findings of the Surveillance Secrets investigation. By highlighting undercover reporting and leaked datasets, the video amplifies the concerns raised by investigative journalists. In doing so, it raises public awareness of a hidden and rapidly evolving surveillance landscape that has implications far beyond the individuals directly targeted.
Challenges to Reform
Addressing the risks posed by commercial surveillance tools presents significant challenges. Regulatory fragmentation allows companies to exploit inconsistencies across jurisdictions. Companies cite trade secrets and national security concerns as reasons to limit transparency, making enforcement and oversight difficult. Policymakers must also balance preventing abuse with allowing legitimate security and intelligence operations. Effective reform will require international cooperation, robust enforcement, and heightened public awareness.
Conclusion
The exposure of First Wap and its Altamides toolkit underscores a global reality. The commercial surveillance industry is extensive, sophisticated, and often opaque. Its reach extends beyond governments to private corporations, consultants, and other actors, highlighting vulnerabilities in both law and oversight. Investigative efforts such as Surveillance Secrets and the YouTube exposé provide critical insight into this hidden world, encouraging scrutiny, accountability, and informed debate about the ethical and legal boundaries of surveillance. The revelations serve as a reminder that in the modern digital era, privacy and security are increasingly intertwined, and the stakes of invisible surveillance affect everyone.
References
Lighthouse Reports, “Surveillance Secrets: Trove of surveillance data challenges what we thought we knew about location tracking tools,” https://www.lighthousereports.com/investigation/surveillance-secrets
Investigative Journalism for Europe, “Surveillance Secrets Project Overview,” https://investigativejournalismforeu.net/projects/surveillance-secrets
Atlantic Council, “Mapping the Global Spyware Market and Its Threats to National Security and Human Rights,” https://www.atlanticcouncil.org/in-depth-research-reports/report/mythical-beasts-and-where-to-find-them-mapping-the-global-spyware-market-and-its-threats-to-national-security-and-human-rights
Mapping Media Freedom, “Fact Sheet: Spyware Risks,” https://www.mappingmediafreedom.org/wp-content/uploads/2025/03/Fact-Sheet-Spyware-2025.pdf
European Parliament, “Legal Frameworks for Surveillance in the EU,” https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739202/EPRS_BRI%282022%29739202_EN.pdf
Wikipedia, “Anomaly Six,” https://en.wikipedia.org/wiki/Anomaly_Six
Wikipedia, “Pegasus Project Investigation,” https://en.wikipedia.org/wiki/Pegasus_Project_%28investigation%29
The Guardian, “Pegasus spyware found on journalists’ phones,” https://www.theguardian.com/news/2021/aug/02/pegasus-spyware-found-on-journalists-phones-french-intelligence-confirms
Aftenposten, “Secret Surveillance of Norway’s Leaders Detected,” https://www.aftenposten.no/norge/i/q36m/secret-surveillance-of-norways-leaders-detected