Toronto police say they have broken up Canada’s first known criminal case involving mobile “SMS blasters,” hidden devices that can mimic legitimate cell towers and push scam texts directly to nearby phones.
The investigation, called Project Lighthouse, led to three men facing 44 charges after police said tens of thousands of devices connected to the rogue systems over several months.
For anyone who has ever received a strange bank text while standing in line for coffee, this case hits a little differently. It was not just another phishing campaign floating around the internet.
Police say the devices were mobile, operated from vehicles, and linked to more than 13 million network disruptions across the Greater Toronto Area, raising concerns not only about fraud, but also about access to 9-1-1.
What police say happened
Project Lighthouse began in November 2025 after a security partner alerted law enforcement to a suspected SMS blaster operating in downtown Toronto. Investigators later determined that the equipment was being run from vehicles, allowing it to move through different parts of the Greater Toronto Area.
On March 31, Toronto Police executed search warrants at residences in Markham and Hamilton. Two men were arrested, and police seized several SMS blasters along with other electronic evidence. A third man turned himself in on April 21.
Police described it as the first known instance of this technology being used in Canada. That detail matters, because it suggests a type of street-level cybercrime that is no longer stuck behind a keyboard or inside a distant server farm.
How fake towers work
An SMS blaster works by pretending to be a legitimate cellular tower. When nearby phones connect to it, users can receive fraudulent messages that appear to come from trusted organizations, including banks or service providers.
The trick is simple enough to understand, even if the hardware is not. Your phone is always looking for a signal. If a rogue device presents itself as the best connection nearby, the phone may connect before the person holding it notices anything strange.
Once that happens, the scam message usually tries to get the user to click a link. Police said those links can lead to fake websites built to capture personal information, including banking credentials and passwords, a tactic commonly known as “smishing.”
More than a money scam
This is where the story gets more serious. Police said investigators identified more than 13 million network disruptions where devices were unable to properly connect to legitimate cell towers. That does not mean 13 million people were victims, but it does show the scale of the interference.
Deputy Chief Rob Johnson warned that the risk goes beyond stolen passwords. “This wasn’t targeting a single individual or business. It had the ability to reach thousands of devices at once,” he said. “And beyond the financial risk, there are real public safety implications.”
Hypothetically, a person’s phone could be diverted from a real network at the wrong moment. A few seconds may not sound like much, but if someone is trying to call 9-1-1 after a crash, a medical emergency, or a violent incident, those seconds suddenly matter.
A new risk for connected cities
Modern cities run on invisible connections. Traffic apps, delivery alerts, mobile banking, emergency calls, and even that quick text to say you got home safely all depend on wireless networks doing their job in the background.
That is why this case feels bigger than a typical scam-text warning. It shows how criminals can turn ordinary urban movement into a cyberattack, driving through busy streets while hidden equipment reaches thousands of phones around them.
At the end of the day, the phone in your pocket is part of the public-safety environment, too. If fake towers can interrupt that connection, even briefly, then police, telecom providers, banks, and cybersecurity teams have to treat the street as part of the threat map.
What users can do now
Police are urging people not to click links in unexpected text messages. That advice may sound familiar, but this case shows why it still matters, especially when a message appears to come from a trusted company.
Detective Sergeant Lindsay Riddell also advised users to access online banking only through official apps or by typing the website directly into a browser. She warned people not to share personal or login information through unsolicited messages.
There is no need to panic every time your phone buzzes, but caution helps. A delivery notice, parking fine, or bank alert that demands instant payment should be treated like a knock at the door from a stranger asking for your wallet.
What comes next
Police said the investigation involved the RCMP’s National Cybercrime Coordination Centre, the RCMP’s Ontario Division, York Regional Police, Hamilton Police Service, financial institutions, and telecommunications providers.
That kind of coordination gives a clue about how authorities may need to respond as cybercrime becomes more mobile.
For now, the immediate Toronto operation has been disrupted. But the bigger warning remains clear: cybercrime is moving into everyday spaces, and the next scam may not just arrive through the internet. It may pass by in traffic.
The official statement was published on Toronto Police Service.
