SS7 exploit sells for $5,000 on the black market: Cyber ​​threat actor's communications revealed step by step

What is SS7 and why is it important?
SS7 (Signaling System No. 7) is a signaling protocol that handles critical operations such as call origination, SMS routing, and roaming information sharing among telephone operators worldwide. However, structural vulnerabilities in this system that have persisted for years have allowed attacks, particularly location tracking, call routing, and authentication bypassing.
 
Who is Dogukan Caliskan?
Cyber ​​threat intelligence analyst and exploit developer Doğukan Çalışkan discovered the vulnerability on the dark web. Çalışkan contacted the threat actor directly as the recipient and technically recorded the process.
 
SS7 exploit being sold on the Darkweb
In a post on dark web forums in June 2025, a threat actor offered the SS7 vulnerability for sale for $5,000. The post also included screenshots and nmap scans of a device on which the vulnerability was used. It was observed that the SIP (port 5060) service was open on the device in question and that there were services that processed the SS7 protocol.
 
Contact was established by pretending to be a buyer
Çalışkan contacted the threat actor via the TOX messaging app. Initially, no direct exploit was requested; instead, evidence was requested to determine if it was a scam. The actor shared data showing SS7-related traffic on a device and device scan results.
 
There was a striking phrase in the actor's messages: 'This should still be turned into a working RCE (remote code execution exploit)'. This means that the exploit being sold would need to be developed by a technical processor in its raw form.
 
What do the technical data shown reveal?
The actor stated that there was an Apache server running on devices with an open SIP port and a PHP-based web application was targeted. On these systems, vulnerabilities of services running on CentOS were scanned and it was claimed that there was a potential for RCE.
 
Among the data presented, the following stood out:
 
    Wappalyzer analysis screen
 
    Port scan results with Nmap
 
    SS7 traffic monitored with sngrep and ngrep
 
    Details of services running on the target device
 
The actor also said that credentials for the Asterisk PBX could be accessed, which could allow for control over processes such as call forwarding.
 
Sales method and use of escrow system
The seller stated that they would only work through escrow systems to prevent fraud. In such systems, money is held in an escrow account until the product is verified after payment is made. When Çalışkan requested proof before the transaction, the threat actor provided various technical screenshots.
 
Potential threats of SS7 vulnerabilities
Vulnerabilities in the SS7 infrastructure can be exploited by malicious individuals for the following purposes:
 
    Redirection of SMS messages
 
    Eavesdropping on calls or transferring them to another device
 
    Determining the current location of the target person
 
    Bypassing two-factor authentication
 
However, the most important element that draws attention here is that the actor did not directly make this vulnerability operational, but only provided the necessary technical infrastructure. This suggests that the final use of the vulnerability was left to more advanced groups.
 
Techniques and tools used
The tools and methods that stand out in the incident reported by Çalışkan are as follows:
 
    Targeting with search engines such as Shodan and Fofa
 
    Port scanning and service detection with nmap
 
    SIP and SS7 traffic monitoring with sngrep, ngrep
 
    Software version detection with Wappalyzer
 
    Web vulnerability analysis and potential RCE detection
 
On the radar of advanced groups
As the threat actor noted, these types of vulnerabilities are often the foundation of infrastructures built not for non-technical users but for ransomware groups, advanced persistent threat (APT) teams, and rogue intelligence networks.
 
Infrastructure vulnerabilities such as the SS7 vulnerability can target not only individual users but also corporate systems, public communications, and critical communications infrastructures.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY