Vast Surveillance Data Challenges Our Understanding of Location Tracking, Its Targets, and Global Reach
In June, a sharply dressed Austrian executive at one of the world’s largest yet little-known surveillance firms warned a potential client that arranging the deal they were discussing could land him in prison. But the conversation didn’t stop there.
The executive, Günther Rudolph, was speaking at ISS World in Prague, a discreet trade fair for advanced surveillance technology. He went on to describe how his company, First Wap, could provide highly sophisticated phone-tracking software called Altamides, capable of locating any person worldwide. The prospective client? A privately owned mining company under international sanctions, intending to monitor environmental activists. “I think we’re the only ones who can deliver,” Rudolph said.
What he didn’t realize: he was speaking with an undercover reporter from Lighthouse.
The path to that Prague meeting began with a massive cache of data, discovered by a Lighthouse journalist on the deep web. The archive contained over a million tracking operations, documenting attempts to trace the real-time locations of thousands globally. Investigating this archive and First Wap’s activities brought together more than 70 journalists from 14 media outlets.
The result is one of the most detailed pictures to date of the modern surveillance industry. The archive exposes how First Wap and its clients monitored a wide spectrum of people worldwide. Reporters interviewed over 100 victims, as well as former employees and industry insiders. Confidential emails and internal documents revealed how First Wap marketed its technology to authoritarian regimes and corporate actors. Behind closed doors, executives boasted about hacking WhatsApp accounts and joked about evading sanctions.
The surveillance industry has long maintained that its tools are exclusively used by government agencies to fight serious crime, framing misuse as rare. This investigation definitively disproves that claim.
Understanding a Hidden Data Archive
The investigation began with an unprecedented dataset. While other archives of surveillance company activity exist, this one is the most detailed: 1.5 million records, over 14,000 unique phone numbers, and surveillance targets in more than 160 countries. It provides a detailed account of when and where individuals were tracked and what the tracking software displayed to its users.
The only clue to a target’s identity was a phone number. Teams at Lighthouse and partner media outlets spent months matching numbers to real individuals. To organize the data, reporters created “clusters” of interconnected targets — groups of people linked in time or place. As identities emerged, stories began to take shape.
A sample of the location-tracking data shows the global reach of Altamides. High-profile targets included former Prime Minister of Qatar, the wife of ousted Syrian leader Bashar al-Assad, Netflix producer Adam Ciralsky, Blackwater founder Erik Prince, Nobel Peace Prize nominee Benny Wenda, Austropop singer Wolfgang Ambros, Tel Aviv prosecutor Liat Ben Ari, and Ali Nur Yasin, senior editor at Indonesian partner Tempo.
Other instances included investigative journalist Gianluigi Nuzzi in Italy, tracked shortly after exposing Vatican corruption; Anne Wojcicki in California, monitored over a thousand times as she moved through Silicon Valley; and associates of Rwandan opposition leader Patrick Karegeya in South Africa, tracked prior to his assassination.
Further research revealed surveillance activity closer to home for our reporting partners. In Austria, Der Standard uncovered a tracking campaign targeting executives at Red Bull. NRK in Norway examined Altamides’ use on a telecom executive. In Indonesia, Tempo interviewees believed they were targeted for political activity or dissent. In Serbia, KRIK found surveillance of energy-sector figures, and in Israel, Haaretz identified high-profile lawyers and businesspeople with African and Gulf interests.
First Wap told this investigation that it denies “any illegal activities” or “human rights violations,” and cannot comment on allegations that might reveal client identities. The company claimed it does not perform tracking itself and has no knowledge of Altamides’ use post-installation, emphasizing that the technology is intended for law enforcement to combat organized crime, terrorism, and corruption.
Surveillance Beyond Borders
In 2012, a woman we call Sophia was vacationing near Goa’s coast, unaware her movements were being tracked halfway across the world with government-grade software. She was not monitored by law enforcement but by a man who had been stalking her for ten months.
Sophia’s story demonstrates how Altamides spread beyond government control to private actors, used for both commercial and personal surveillance. The archive includes hundreds of ordinary individuals — teachers, therapists, tattoo artists — alongside business leaders and politically exposed figures.
First Wap marketed its software through a shadowy network of resellers. Confidential documents reveal one such intermediary, British corporate investigations firm KCS Group, tried to sell Altamides to governments during the Arab Spring while also using it for corporate investigations, targeting rivals of its clients. KCS told investigators it “has not been involved in selling or using inappropriate surveillance materials” and maintains “ethical standards in all our operations.”
A Cunning Pioneer
Unlike other surveillance giants scrutinized for targeting journalists, activists, and diplomats, First Wap has thrived for two decades without much public attention. Altamides’ story began in the early 2000s when former Siemens engineer Josef Fuchs exploited a weakness in the global telecom network. By abusing the outdated SS7 protocol, he could determine users’ locations instantly. Fuchs pivoted his Jakarta-based company from marketing to phone tracking, establishing one of the first global location-tracking firms.
The software allowed anyone to pinpoint a phone anywhere within seconds during the era of BlackBerrys and Nokias. Over time, First Wap expanded its capabilities, enabling SMS interception, call eavesdropping, and even breaching encrypted messaging apps like WhatsApp.
“We Can Find a Way”
Reporting revealed dozens of non-criminal people surveilled without consent. Evidence indicated Altamides was used by both authoritarian governments and non-government actors without legal authority. To explore the limits of First Wap’s rules, Lighthouse staged an undercover operation.
The company insisted it “vets and verifies any government client/final user for sanctions compliance” and claimed “there has never been any exception.”
To test this, reporters created a fake persona, Albert, a South African businessman running a boutique consultancy in the British Virgin Islands, with a colleague posing as a politically connected figure in West Africa. They registered for ISS World to pitch projects and gauge First Wap’s response.
In June, Albert and Abdou met Rudolph at a Prague hotel. They asked whether First Wap could monitor opponents abroad, crack encrypted WhatsApp messages, or help a mining company disrupt environmental protests. Rudolph acknowledged potential hurdles: some targets might be under EU or US sanctions, putting European executives at risk. “That’s why when we make such a deal we make it through Jakarta,” he said. He described it as a “grey area” — but added, “we can find a way,” later illustrating this through a shell company to obscure the paper trail linking First Wap to the sanctioned client.
When confronted about the undercover operation, First Wap claimed that “misunderstandings evidently arose” and that its executives were speaking solely about technical feasibility.