Two threat actors built a global location-tracking business on a protocol that was never authenticated. The CitizenLab report calls them STA1 and STA2. They are the punchline of a 1980s design choice. The original architects assumed every counterparty was a known telco. They were, for a while. Then they weren't. April 23, 2026: CitizenLab publishes Bad Connection . Gary Miller and Swantje Lange document over 500 location-tracking attempts attributed to a single threat actor since November 2022. Targets in Thailand, South Africa, Norway, Bangladesh, sub-Saharan Africa. Attack infrastructure routed through real operator identities: 019Mobile (Israel), Airtel Jersey/Sure (Channel Islands), Tango Networks UK, Telenabler AB. The signaling messages looked legitimate because the protocol had no way to ask whether they were.…