
Research by cybersecurity experts at SOS Intel suggests that most SS7 exploitation services offered on darknet markets are fake, leaving the buyer with nothing but a smaller crypto balance. The researchers combed for mentions of such services across the dark web, finding a total of 57 URLs, of which only 4 were functioning markets.
Of the four functioning markets, one was offline within a week, the second used images and video clips from a 2016 YouTube video, the third was a clone of the second, and the fourth was DarkFox Market, the biggest supposed provider of SS7-related services. DarkFox, which exceeds the traffic and popularity of the other three sites by a wide margin, lists such services at an average of $180, though demo video content attached to the listings is also stolen from YouTube.

SS7 is short for Signaling System No. 7, a protocol for telecommunications developed in 1975. Among the functionalities of which the protocol enables are prepaid billing, Short Message Service (SMS), number translation and mass market services. Known hacks that have exploited shortcomings in software built around this protocol include the ability to listen in on calls, read private messages, and track the location of a victim.
According to SOS Intel, there are a few ways in which messaging services like Telegram and WhatsApp can be hacked; most revolve around the hacker’s use of a “fake MSC,” or Mobile Switching Center, which serves as a directory for mobile numbers. In these cases, real MSC operators unknowingly transmit data to fake ones, allowing an attacker to intercept crucial communications, such as private conversations and OTP (one-time password) codes used for login authentication purposes.

SS7 attacks on Telegram users have been feasible since or before May 2016, when such an attack was demonstrated on a YouTube video in that month. This video is coincidentally the same video used to promote fake SS7 exploitation services to this day. The other markets mentioned in addition to DarkFox include SS7 Exploiter, SS7 ONLINE Exploiter, and SS7 Hack.
SOS Intel also suggested that while SS7 attack services do exist on the darknet, they are usually to be found in members-only markets, and only offered for short periods of time.