Wireless Threats at the UN: What the Secret Service Raids Reveal

September 23, 2025

The U.S. Secret Service announced the takedown of a significant wireless communications threat in the New York tristate area.

The discovery came during one of the most sensitive weeks of the year: the United Nations General Assembly. Heads of state, foreign ministers, and senior government officials from across the world gathered in New York for diplomacy and negotiations. While security focused on physical protection and cyber defense, attackers had positioned a massive wireless infrastructure within striking distance of the UN complex.

Investigators seized more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites, representing one of the most sweeping wireless communications threats uncovered on U.S. soil. Attackers had used these systems to deliver multiple cellular-related threats directed towards senior U.S. government officials. They could have potentially executed denial-of-service attacks, disrupted cell tower operations, and enabled encrypted channels for nation-state actors and criminal groups. The unknown threat actors positioned the infrastructure in apartments around New York City, with some quite close to the UN meeting site.. While the investigation is ongoing, preliminary forensic analysis suggests cellular communications occurred between nation-state threat actors and individuals known to federal law enforcement.

SIM servers like the ones confiscated by the Secret Service have legitimate uses.  For example, emergency services can use a SIM farm to send out thousands of warning messages very rapidly concerning landslides or wildfires. However, they typically register those SIM farms with their carriers and operate from facilities engineered for IT use.  

The SIM farms that the Secret Service raided were typical city apartments and would not have met engineered facility specs. One challenge for the clandestine operators would have been to milk enough power and cooling from apartments designed for residential use. 

A SIM server, like the ones shown in the released Secret Service photographs, may have hundreds of SIMs serving just 32 simultaneous channels. Each channel can send an SMS from one SIM and then immediately switch to another SIM for the next call without breaking down the first call. This function saves the server time, but it leaves the tower to discover the previous SIM is gone, time it out, and then release its call.  It puts a burden on the tower to discover the dropouts and free up that frequency.  Towers do this pretty efficiently because dropouts can occur in normal operation (for example, when a car turns a corner and the phone loses sight of the old tower).  Nonetheless, a short time penalty accumulates at the towers when hundreds of SIMs are hitting a tower every few seconds from each of dozens of servers. With thousands or millions of calls produced in a short period, this accumulated work could cause a local disruption of cellular service. Some have suggested that such an attack could crash the NYC cellular network more broadly, but experts say that is very unlikely.

The intended use for these covert systems is not yet clear. Some experts have speculated that the actual purpose was espionage. One way to intercept phone calls is to jam the available 4G connections, causing the cell phones themselves to downgrade to 3G or 2G, which is insecure and easy to intercept. All major carriers in the U.S. have dropped their 2G service, so most U.S.-purchased cell phones are no longer configured to connect to a 2G signal. However, many other countries still support 2G calling, and foreign UN attendees are likely carrying phones that can be tricked into connecting to bogus 2G services, thus making them vulnerable to interception.

A surprising aspect of these discoveries is news reports that whoever set these systems up used them in “swatting attacks” where false pretense calls are placed to police departments to cause police SWAT teams to respond to an address where they believe violence might be occurring. U.S. Representative Marjorie Taylor Greene is reportedly one of the victims of a swatting incident.  

While a SIM farm is perfectly capable of placing a blind phone call to the police, you don’t need 100,000 SIMs to do a few swatting attacks. It may be that the investigation into the swatting calls actually exposed the SIM Farm network. If so, the Operational Security (OpSec) of the attackers seems undisciplined. Better discipline would have prevented the use of a massive covert infrastructure for a swatting attack that a burner phone could have executed.

This incident demonstrates that wireless networks represent more than background infrastructure. They serve as critical components of modern protective operations. When adversaries exploit the wireless layer, they gain the ability to disrupt emergency communications, complicate coordination, and create opportunities for cascading security failures.

The Importance of Wireless Security

Leaders and their personnel rely on wireless communications, especially during high-profile events. At an international summit at the UN, diplomatic staff, protective teams, and intelligence agencies all depend on wireless devices for coordination. This reliance extends beyond mobile phones to include encrypted radios, push-to-talk systems, and secure cellular connections. Emergency alerts, logistics planning, and live intelligence updates all move across wireless networks. When attackers target this layer, they strike at the foundation of event security, increasing risk and potentially paralyzing decision-making in the field.

The disruption highlights several security threats to wireless communications systems:

• SIM servers and SIM boxes: These devices can reroute traffic across unauthorized networks, making it easier for attackers to hide their origin, bypass controls, and manipulate call routing. Large-scale deployments enable adversaries to flood networks or establish untraceable communication channels.
• Cell towers and base stations: These nodes act as choke points for mobile communications. Attackers who disable or overload them can cut off a geographic area from reliable service. Such an outage would interfere with both secure channels and public safety networks.
• Encrypted but unauthorized channels: Even when attackers encrypt communications, the use of rogue infrastructure creates covert pathways that bypass oversight. This hidden communications channel complicates efforts to identify who is communicating, with whom, and for what purpose.

The concentration of infrastructure near the UN compound is probably not coincidental. High-profile targets create high-value opportunities, and attackers positioned their systems to maximize both impact and disruption.

Wireless as a Weapon

The size of the seized operation shows that wireless exploitation has become a tool for coordinated campaigns. Attackers are not limited to listening in on conversations. They can actively disrupt communications, impersonate legitimate users, and suppress or delay traffic. By doing so, they create both confusion and operational blind spots.

The involvement of nation-state actors points to a trend: cybercriminals seeking financial gain are no longer the only ones to exploit wireless communications and devices. State-backed adversaries recognize that wireless disruption can influence diplomacy, degrade emergency response, and even create geopolitical leverage.

Consider a scenario in which a wireless denial-of-service attack coincides with a physical incident near the UN complex. If attackers flood local towers and disrupt wireless communications, protective details, first responders, and emergency services could lose critical channels at the exact moment they need to coordinate.

• Protective teams might struggle to relay real-time location updates or adjust routes for VIP movements.
• Medical response units could face delays in dispatching ambulances or relaying triage information.
• Law enforcement could lose the ability to share situational awareness across agencies, resulting in duplicated efforts or gaps in coverage.
• Emergency operations centers might lack accurate visibility, forcing decision-makers to act on incomplete or outdated information.

In this scenario, wireless disruption does not act as the primary weapon but as a force multiplier. By creating confusion, delaying response, and overwhelming communication systems, attackers would amplify the impact of a physical incident. The combination of wireless denial-of-service operations and physical incidents would stretch resources thin and complicate containment or response.

Key Considerations

1. Integrate wireless threat monitoring into the security plan: Security planning must include spectrum monitoring, rogue device detection, and traffic anomaly analysis. Such measures are crucial with high-profile events and spaces. Wireless must be a frontline domain equal to physical and cyber defense.
2. Invest in rapid detection and response: Quickly identifying unusual wireless activity, traffic patterns, or spectrum anomalies shortens the attacker’s dwell time and reduces the potential impact. Effective detection requires both technical capability and trained personnel who can respond rapidly to contain a wireless threat.
3. Strengthen public-private collaboration: Wireless networks sit at the intersection of commercial and government responsibility. Telecom operators and infrastructure providers hold the keys to visibility, while law enforcement and intelligence agencies carry the mandate to neutralize threats. Cooperation must extend beyond emergencies to include planning and intelligence sharing.
4. Adopt defensive wireless technologies: Tools that detect rogue base stations, analyze spectrum anomalies, and map live wireless activity give defenders the intelligence needed to preempt attacks. These capabilities make wireless threats visible, allowing response teams to move quickly when adversaries attempt disruption.

Signal of a Larger Trend

This disruption in New York confirms that adversaries actively weaponize wireless. It also shows that attackers view high-profile events as opportunities to maximize disruption and leverage. Wireless attacks now form part of blended strategies that combine cyber operations, physical disruption, and information warfare.

Organizations cannot afford to treat wireless as an afterthought. The growth of mobile connectivity, IoT devices, and wireless-first systems expands the attack surface every year. Without visibility and active monitoring, defenders risk leaving a critical layer unprotected.

Conclusion

The Secret Service dismantled a credible wireless threat near the UN General Assembly. However, the larger lesson is clear: wireless infrastructure represents one of the most exposed attack surfaces in modern security operations. Future protective missions, especially those around international leaders, must treat the wireless domain as a frontline battleground. By integrating monitoring, strengthening detection and response capabilities, and building collaborative defenses, organizations can detect and disrupt adversaries before an incident becomes a crisis.