Toronto police say they seized several devices they describe as an SMS blaster, a fake-cell-tower tool used to send fraudulent text messages directly to nearby phones. The case matters because an SMS blaster is not ordinary spoofed texting through a carrier network; it is a local radio attack that can briefly pull phones off legitimate service and flood a physical area with smishing messages.
In plain English, an SMS blaster acts like a rogue base station: a device that pretends to be a cell tower so phones in range connect to it. Once that happens, the operator can push texts that appear local or trusted, without knowing victims’ phone numbers in advance.
What Toronto police say they found
The National Post reports that Toronto police made three arrests, laid 44 charges, and seized several SMS blasters in an investigation called Project Lighthouse. Police said the investigation began in November 2025 after they were alerted to a suspected device operating in downtown Toronto.
The details that stand out are operational, not theatrical. Police said the equipment was mobile and run from vehicles, which meant it could be driven through multiple neighborhoods rather than fixed to one location.
Deputy Chief Robert Johnson and Detective Sergeant Lindsay Riddell, as quoted by the National Post, attached two numbers to that claim:
- Tens of thousands of devices allegedly connected to the blaster over several months
- More than 13 million network disruptions where devices could not properly connect to legitimate towers
Those disruptions reportedly lasted from seconds to several minutes. That is the part that turns this from “bulk scam texts” into a network-safety problem. If a phone briefly latches onto the wrong radio source, the issue is not just a phishing link. It is that the phone may be unavailable for normal service during that window, including emergency calling attempts.
Police described the texts as fraudulent messages impersonating trusted organizations and sending people to fake websites designed to steal information. That is standard smishing, SMS phishing, but delivered in a very different way.
How an SMS blaster actually works
A normal spoofed message uses the existing carrier or internet messaging path. By contrast, the CRTC says STIR/SHAKEN is a caller-authentication system for IP-based voice calls. That matters because it shows the limit of that defense: it protects part of voice call routing, not a local rogue-radio setup.
The basic mechanics are surprisingly physical. The device imitates a base station, and phones generally prefer a signal that looks usable and nearby. If the rogue signal wins that short contest, the phone attaches to the attacker-controlled device first, receives locally broadcast text messages, and then may be dropped or handed back to the legitimate network. Toronto police have not published a technical teardown of the seized hardware, so that step-by-step flow is an inference from the police description, vendor marketing, and how rogue base station systems are generally described.
The vendor page for “SMS Broadcaster Machine” is unusually blunt about the sales pitch. It claims the device can send SMS to nearby active phones without a database, without internet, and without using operator credit, by using “Base Station technology.” It also advertises car installation, operator switching, and sender-name features. That is a useful clue about how these devices are framed commercially: not as hacking kits, but as local broadcast systems.
A short text walkthrough makes the distinction clearer:
- Phone sees a nearby signal that looks like a usable cell tower
- Phone attaches to the rogue base station instead of the legitimate one
- Fraudulent SMS messages are broadcast locally to phones in range
- Legitimate network attachment is interrupted for seconds or minutes before the phone reconnects
Here’s the difference in one table:
| Method | How it reaches victims | Needs phone numbers? | Depends on carrier path? | Can disrupt local service? |
|---|---|---|---|---|
| Ordinary SMS spoofing | Through standard messaging routes | Usually yes | Yes | No |
| SMS blaster / fake cell tower | Direct local radio connection to nearby phones | No | No | Yes, briefly |
The technical point is simple: the attacker is not mainly impersonating a sender ID. The attacker is trying to become the radio endpoint your phone talks to, at least briefly. That is why this looks more like a man-in-the-middle problem on the mobile network than a normal spam-text campaign.
Apple’s Lockdown Mode documentation is a small but telling data point here. Apple says Lockdown Mode turns off 2G and 3G cellular support on iPhone and iPad as part of protection against “extremely rare and highly sophisticated” attacks. Apple does not mention Toronto, but it does show that handset vendors treat rogue-network and downgrade-style risks as real.
Why this matters beyond one bust
The interesting part is not whether scam texts exist. Everyone already knows that. The interesting part is that an SMS blaster changes the attacker’s economics and the defender’s assumptions.
First, it removes the need for a target list. A fake cell tower can reach whatever phones happen to be nearby. That makes location the targeting mechanism: a downtown block, a transit corridor, an event, a shopping area.
Second, it bypasses some defenses built for ordinary spoofing. If the attack happens at the radio layer, protections focused on carrier-side routing or caller identity are looking at the wrong layer.
Third, the same technique has legitimate uses. Frank on Fraud describes SMS blasters as devices originally intended for emergency or law-enforcement alerting, and vendor marketing leans hard into that story with phrases like “government-grade loud emergency alert.” That dual use is the awkward part. A local broadcast tool can warn residents about a disaster or send bank-login lures from a van.
Local targeting also changes operations for defenders. A scammer does not need a leaked customer list if they can park near an event venue and hit attendees in one sweep. A business district becomes attractive because executives, employees, and delivery staff are all physically clustered. Dense transit corridors are even worse: lots of phones, frequent movement, and just enough distraction that a fake “service alert” or “bank fraud warning” text can land before anyone slows down to check it.
What readers should take away from the evidence
Some parts of the Toronto case are confirmed by police statements reported by the National Post. Those include the arrests, the 44 charges, the claim that the devices were vehicle-mounted and mobile, and the figures Deputy Chief Robert Johnson and Detective Sergeant Lindsay Riddell gave for tens of thousands of affected devices and more than 13 million network disruptions.
Some parts are supported by adjacent evidence rather than the seizure itself. Vendor marketing shows that products in this category are sold as nearby-phone broadcast systems that do not need a target database. Apple’s Lockdown Mode documentation shows mainstream device makers already account for cellular downgrade and rogue-network threats in high-risk scenarios.
One big piece is still unverified in public. Police have not released a detailed teardown of the seized hardware, so outside researchers cannot yet inspect the exact radio stack, bands, downgrade behavior, or delivery method used in Toronto. That means the broad shape of the attack is well supported, while the precise implementation details are not yet independently confirmed.
The takeaway for generalists is narrow but useful:
- A text that feels local is not proof it came through a trusted carrier path.
- Cell tower spoofing creates a different problem from ordinary SMS spoofing because the attack starts with radio attachment, not just message identity.
- Anti-spoofing measures for calls do not automatically solve smishing sent by a rogue base station.
- Based on one bust, this is not proof of a widespread national wave. It is evidence that the technique is credible enough for security teams, telecom operators, and public-sector defenders to watch closely.
Key Takeaways
- Toronto police say they seized several SMS blaster devices, arrested three men, and linked the operation to tens of thousands of affected phones and more than 13 million network disruptions.
- An SMS blaster is a rogue base station or fake cell tower that tricks nearby phones into connecting, then sends smishing texts directly over local radio rather than through normal carrier messaging paths.
- That makes it different from ordinary SMS spoofing: it can target any phone in range, needs no phone-number database, and may bypass controls aimed at voice-call authentication or normal carrier routing.
- The reported network disruptions make this a public-safety issue as well as a fraud issue, because phones diverted from legitimate towers may briefly lose normal connectivity.
- The Toronto case does not publicly prove every technical detail, but it does show the limits of SMS trust when the attack moves from the messaging layer to the radio layer.
Further Reading
- Toronto police seize ‘SMS blasters,’ a new cybercrime weapon in Canada | National Post, Report on the arrests, charges, seized devices, and police claims about scale and network disruption.
- About Lockdown Mode – Apple Support, Apple’s documentation showing Lockdown Mode disables 2G and 3G support as a protection against sophisticated attacks.
- SMS Broadcaster Machine, Bulk SMS Blast, SMS Marketing System, Vendor page showing how these systems are marketed as local broadcast tools that reach nearby phones without a database.
- Compliance and Enforcement and Telecom Decision CRTC 2025-343, Canadian regulatory context for anti-spoofing measures such as STIR/SHAKEN, and why those measures target a different layer.
- SMS Blasters: The Fraud Machine Anyone Can Buy Online – Frank on Fraud, Practitioner explainer covering how SMS blasters are used in fraud campaigns and why they are hard to regulate.