How a Global Ad‑Based Tracking System Spies on Half a Billion Phones

In April 2026 the Overseas Security Lab disclosed Webloc, a global ad‑intelligence geolocation system capable of tracking up to 500 million mobile devices in real time and storing three years of historical movement data.

Data collection channels

Webloc aggregates location information from two sources. The first is real‑time bidding (RTB) where, within a second of an ad‑enabled app or website opening, an auction broadcasts the device’s advertising identifier, current location, age, gender, interests and other attributes to dozens of ad firms. The second source is third‑party software development kits (SDKs) embedded in free apps that harvest precise GPS, nearby Wi‑Fi SSIDs, Bluetooth device lists and sensor data.

Company background

Webloc was originally built by Israeli monitoring company Cobwebs Technologies (founded 2015 by former special‑forces personnel). In July 2023 Cobwebs was bought by US private‑equity firm Spire Capital for $200 million and merged with US law‑enforcement software vendor Penlink. Penlink, founded in 1987, previously sold PLX, a tool that ingests telecom and internet data. After the merger the product suite includes Tangles (network‑intelligence platform) with Webloc as an add‑on, plus Lynx (virtual‑identity management), Trapdoor (social‑engineering platform) and Weaver (financial‑investigation suite).

Core capabilities

Global coverage of up to 500 million devices

Retention of up to three years of historical location records

Data refresh every 4–24 hours

Electronic‑fence (geofence) creation and device listing per zone

Movement‑trajectory tracking across multiple locations

Long‑term activity analysis to infer home address, workplace and daily routes

Detailed user profiling: age, gender, language, interests, installed apps, device model, OS version, Wi‑Fi hotspot names, etc.

Illustrative cases

A leaked technical proposal shows a five‑day trace of a male user in Abu Dhabi: 81 GPS points, 110 Wi‑Fi‑derived points, a list of 141 installed apps, and classification as “commuter”, “basketball fan” and “luxury‑goods buyer”. Another case follows a device from Germany through Austria to Hungary using 39 historical points and demonstrates cross‑border device detection.

Customer base

US agencies are the largest market: Immigration and Customs Enforcement (ICE) has spent over $5 million on Cobwebs/Penlink tools since 2021 and signed a $2.3 million contract in September 2025 for a one‑year Webloc license. The US Navy, Army Space and Missile Defense Command, Texas Department of Public Safety, and dozens of city police departments also use Webloc. International customers include Salvadoran police ($680 k purchase in 2020), Vietnamese technical specifications, Hungarian intelligence agencies (new license in March 2026), UK police (39 of 44 departments use or refuse to comment), and several European ministries that either confirm or deny usage.

Server footprint

Technical analysis identified 298 active Cobwebs‑related servers in 25 countries. Of these, 219 servers are directly tied to product deployment, all hosted on Microsoft Azure (126 in the US, 32 in the Netherlands, 17 in Singapore, 8 in Germany, 8 in Hong Kong, 7 in the UK). Five servers appear dedicated to Webloc (located in Mexico, Singapore, the Netherlands and Hungary); the Hungarian server was shut down in January 2026, coinciding with the agency’s new license.

Data fusion and export

Webloc merges ad‑derived data with telecom dumps (e.g., cellular data dumps from AT&T, Verizon) and supports CSV export for further analysis. The interface integrates Google Street View, allowing investigators to view street‑level imagery of target locations.

Trapdoor platform

Beyond passive tracking, the report uncovers Trapdoor, a “active network‑intelligence” social‑engineering platform. Its features include generating phishing links that mimic any website, rapid creation of fake webpages and pop‑ups, automatic extraction of device fingerprints (IP, browser, OS, screen resolution, battery level), a built‑in keylogger, payload delivery, and the ability to open hidden browser tabs to harvest media files. While Trapdoor itself does not contain malware, it enables customers to deploy malicious payloads and even access camera and microphone via browser code. Active servers possibly linked to Trapdoor were found in Kenya, Indonesia, Japan, the UAE, Singapore and Hong Kong; no confirmed customers are known, though a 2021 Meta report mentions Cobwebs customers using fake accounts for social‑engineering attacks.

Privacy implications and mitigation

Grant location permission to apps only when necessary

Disable cross‑app tracking features

Delete or periodically reset the device’s advertising identifier

Use privacy‑focused browsers and search engines

Avoid free weather, navigation and fitness apps that embed tracking SDKs

The investigation concludes that ad‑based geolocation surveillance is spreading rapidly worldwide with little regulation, posing a severe threat to global freedom and personal security.