Investigation: Safia Mahdi and Mohammed Nasser, in conjunction with Al-Ndaa newspaper

Every 7 minutes, a Yemeni phone number is either hacked or used illegally, mostly on WhatsApp. This is revealed by documented data for just 120 hours of number sales in a single group, and while such operations are not exclusive to any country, Yemen is particularly affected.

The issue goes beyond mere virtual usage that does not violate the ownership and rights of others. It involves identity theft, stolen conversations, and shattered trust in communication applications, as well as hundreds of websites and digital services that require verification via SMS messages.

This investigation reveals a dark underworld, where the buying, selling, and hacking of phone numbers, or their misuse, occurs unlawfully, drawing from authenticated data and information from open and private sources.

The Root of the Problem

The story begins with whispers and murmurs on social media platforms, where people share stories of hacked WhatsApp accounts, stolen numbers, and online identity theft. Nahla, a young mother, recounts her shock when her brother called her to ask why she wasn't responding on WhatsApp. She only uses the number for calls, so she discovered that someone else had her phone number on WhatsApp. She tried to get help from a relative who is experienced in phone repair, but he failed and advised her to contact the company that sold her the number.

The government company Yemen Mobile sends warnings to subscribers (screenshot)

The government company Yemen Mobile sends warnings to subscribers (screenshot)

Nahla's story is not unique. Countless Yemenis face similar privacy violations and potential damage to their reputations. More than a week ago, Yemen Mobile, the country's leading telecommunications company, sent out security alerts in a desperate attempt to stop this tide. The message is clear: there is a serious threat lurking, and the ability to steal your number, your online identity, and perhaps more.

How did this happen? What measures can be taken to protect oneself? This investigation attempts to answer these questions by telling the story that goes deeper into how these cybercriminals operate, explores possible solutions, and empowers Yemenis to regain control of their digital identities.

Virtual Numbers or Hacking?

Virtual numbers are a common phenomenon. Some are legal in some countries, while others are illegal and operated by hackers and professionals who sell temporary numbers, often used to activate applications or websites upon login. On the other hand, they are a means of hacking online accounts or impersonating others if the number is registered in someone else's name. It can even be used in online stores or to access accounts on various platforms, including Facebook and X (formerly Twitter).

This threat, which can potentially affect any Yemeni household, given the widespread use of communication applications and various website services, came to the fore through complaints and rumors, some of which accused Yemen Mobile and its employees of selling user numbers. This forced the company to deny the rumors in a statement on February 3, 2024, in which it acknowledged that there was indeed a problem faced by many users where other people obtained their numbers and used them to log into the WhatsApp application.

The company said in its statement that regarding "the problem that some of its customers' numbers have been exposed to in the WhatsApp application," the problem "lies in the existence of fraudulent websites that promote various numbers from several international companies over the Internet and sell them to individuals who wish to use new accounts in the WhatsApp application and other applications." It denied having any connection "to those suspicious websites that carry out illegal activities."

Wholesale and Retail

While Yemen Mobile did not specify the details of the "suspicious" websites it mentioned, the Yemeni Fact-Checking Network followed the threads of the problem to uncover a world of online buying and selling. It starts with mostly Russian websites, then passes through Yemeni and non-Yemeni sellers and agents who buy the available numbers in "bulk" and sell them in a group on at least one social media application, in exchange for cryptocurrencies that can be purchased from specialized websites or from agents in Yemen and outside Yemen, who charge someone's account to buy one or more numbers.

During correspondence - which we have retained - conducted by people we hired to contact one of the administrators of one of these groups, the latter defended the process they are doing and that it does not violate the law, which he said does not prevent the sale of "dummy numbers." He pointed out that they do not work away from the eyes of the security forces, and that "half of the customers are state officers." These are claims that we were unable to verify independently.

On the other hand, we contacted a Yemen Mobile official to ask about the legal aspect of selling these numbers. He said that "what is happening is definitely a violation of the laws, because it is done without the consent of the company and without the consent of the people who own the numbers." He added that "anything you do without the consent of the owner is a violation of the law... whether it is a service or a product or a commodity or anything else, and there are certainly laws that protect the rights of owners, users, and individuals."

Legal Shortcomings in the Digital Space

The legal aspect of the digital space faces many obstacles in Yemen. According to Yemeni legal advisor Jamal Al-Juaibi, "There are no laws in Yemen that deal with electronic developments." He explains that current laws address harm and illegal actions against individuals only indirectly. However, these old laws, predating the open digital space, cannot keep up with cybercrimes, whether they stem from negligence and hacking by companies or from individuals manipulating modern social media, known as hackers.

Al-Juaibi adds that although some countries have developed regulations and legal texts to keep pace with these types of crimes, the problem or loophole in these laws remains linked to the principle of territoriality. These laws cannot be applied outside the country that enacted them. Therefore, Al-Juaibi says, the judiciary and effective legislative bodies are still confined to the countries that produce applications and social media platforms, such as Facebook, WhatsApp, and others, which are mostly sourced from the United States. This is why "we find American lawmakers holding public hearings and inquiries in the US House of Representatives and Congress, sometimes to question these companies and their owners, in addition to the possibility of lawsuits being filed by victims in the American courts."

Targeted Numbers and Activation

The information we gathered revealed that the numbers sold to activate any accounts are provided randomly, so the available numbers are offered to people who want to activate WhatsApp and are sold for cryptocurrencies at low prices (about three numbers can be purchased for one dollar or its equivalent in the digital currency accepted in payment transactions).

The network verified, through questions asked to those responsible for selling the numbers, that they do not only deal with numbers that do not have WhatsApp accounts, but the activation code can reach another person who hijacks the account once they enter it, but they may face obstacles if the user activates "two-step verification." Also, activation messages do not always arrive, forcing the person who bought the number to choose another number until the activation is successful.

When asked about the issue, Yemen Mobile said that it is working on solving the problem, and that it is not related to the company alone, but can happen to any company. However, it became famous because of the large number of subscribers it has and because users prefer its numbers. The company stressed that the largest part of the problem has been solved, and that the numbers targeted in WhatsApp are because it is the most common, while the threat does not exclude other applications.

In response to a question about whether the company contacted WhatsApp, an official who preferred not to be named said that the contact was actually made through a WhatsApp agent, and that the company (WhatsApp) responded through its agent that the problem had been solved for those who had their accounts logged into by others, and they (the primary subscriber) now receive activation messages to recover the account. However, the problem persists with some accounts that have been secured by hackers with "two-step verification."

 

Data Provides Definitive Answers

Contrary to the allegations circulated on some social media networks, such as rumors against Yemen Mobile, it seems that the most widespread company in Yemen, like other companies, is not the only one affected by this issue. However, it was the only one that dared to acknowledge the problem and issue warnings to its subscribers. Subscribers of the two companies "YOU" and "SabaFon" did not report receiving warning messages from the company to protect their accounts.

This is what phone number data sold within 120 hours in one of the sales groups on social networks indicates, which the Yemeni Fact-Checking Network obtained. We analyzed it to obtain crucial answers regarding the countries most targeted by these breaches and whether they pertain to one company over another.

The activation messages that include the data, the most important of which are the request number, the type of platform (WhatsApp or other), the country name, and the first four digits of each phone number

The activation messages that include the data, the most important of which are the request number, the type of platform (WhatsApp or other), the country name, and the first four digits of each phone number

Our analysis of the sample data observed for the days of February 9, 10, 11, 12, and 13, 2024, revealed that 1696 numbers were sold, hacked, and used illegally from 28 countries. Yemen was at the top with 1069 numbers, representing more than 63 percent of the total numbers.

Foreign countries occupied varying percentages between 1 and 10 percent, with Chile having 138 numbers, Vietnam 134 numbers, Colombia 77 numbers, South Africa 75 numbers, Rwanda 27 numbers, Turkey 25 numbers, the United States of America 19 numbers, Samoa 19 numbers, then Angola 10 numbers, India, Tajikistan, and England with 4 numbers each, 3 numbers from the Philippines, while Brazil, France, and Canada had 2 numbers each, and one number each from Mexico, Russia, Kyrgyzstan, and the Netherlands.

Arab countries were not absent from this result related to one group only, as Saudi Arabia ranked with 9 numbers, Morocco 4 numbers, the Emirates 2 numbers as well as Libya, then one number each in Jordan, Syria, and Egypt.

Countries Whose Phone Numbers Have Been Compromised Within 5 Days

Countries Whose Phone Numbers Have Been Compromised Within 5 Days Flourish

As for Yemeni companies, the data analysis revealed that 686 numbers starting with "77" (Yemen Mobile) and 33 numbers starting with "78" for the same company were registered. In addition, 178 numbers from the company "YOU" (formerly MTN Yemen) starting with "73" and 145 numbers from the company "SabaFon" starting with "71" were registered, in addition to 29 numbers from the less widespread company "Wi for Communications" which starts with "70".

_Yemeni Numbers and Each Company's Percentage

_Yemeni Numbers and Each Company's Percentage Flourish

The data showed that approximately every 7 minutes, a Yemeni phone number is sold illegally or hacked, if it was used before, to be used with one message to activate an application or platform on social media networks.

As for the nature of the application or platform hacks, WhatsApp owned by Meta came in the first place with 1335 numbers and a percentage of nearly 79 percent, followed by the Telegram application with 114 numbers and a percentage of nearly 7 percent, and 9 codes in the Saudi Haraj application and only 7 numbers for activation from Google, and 3 numbers for activation in the Imo application, but other platforms that may include financial applications, social networks, and perhaps Facebook accounts and other networks, where the number of hacks during 48 hours reached 228 numbers and a percentage of more than 13 percent.

The most frequently abused applications

The most frequently abused applications Flourish

Who is Responsible?

The information verified by the Yemeni Fact-Checking Network shows that the process is part of what is known as "virtual numbers," provided by illegal websites and companies. It is unlikely that mobile phone companies or any of their employees have anything to do with it, contrary to what has been rumored.

However, this does not exempt the companies concerned in Yemen from the responsibility of protecting subscribers, especially since the problem is not new, but has been circulating for many months, according to documented posts on the network since January 2023, including video ads for the sale of Yemeni numbers to activate WhatsApp and other applications.

Speaking to the Yemeni Fact-Checking Network, Ibrahim Ahmed, a Yemeni digital security expert, says that "this hacking is a serious cybersecurity issue, even if it only affects ten people, and sometimes one person." However, "when we talk about hundreds of numbers in a country every day, we are facing a digital pandemic that requires responsible action, and the government agencies concerned with communications and the telecommunications companies that provide these numbers bear the responsibility before the subscriber in Yemen. It also puts global companies directly responsible, as they have not taken the necessary measures to protect the security of their application users."

He adds that this problem "should lead to radical solutions for social networks, even if it requires changing the entire login methods and reconsidering the ways of protecting and using SMS messages. Or that two-factor authentication becomes a mandatory option and not an optional one, given that the majority of users do not care about security measures and can therefore be victims."

Original text in Arabic, translation with the help of artificial intelligence