Which law enforcement agencies have used Webloc?

Agencies in Hungary, El Salvador, and the United States, including ICE and various police departments, have been reported to use Webloc for surveillance purposes.

What are the privacy implications of Webloc's use?

The use of Webloc raises significant privacy concerns due to its ability to track individuals without their consent, potentially infringing on civil liberties and personal privacy rights.

Unveiling Webloc: The Ad-Based Geolocation Surveillance Tool Used by Law Enforcement

Discover how Webloc leverages ad data to monitor 500 million devices worldwide, raising critical privacy and civil liberties questions.

Published: April 11, 2026

Share this on:

Executive Summary

In April 2026, Citizen Lab uncovered that law enforcement agencies in Hungary, El Salvador, and the United States utilized Webloc, an ad-based geolocation surveillance system developed by Cobwebs Technologies and later sold by Penlink. Webloc accesses data from up to 500 million mobile devices worldwide, including device identifiers, location coordinates, and profile data harvested from mobile apps and digital advertising. This system enables authorities to monitor individuals' locations and movements without warrants, raising significant privacy and civil liberties concerns. The revelation underscores the growing use of commercial data for surveillance purposes, highlighting the need for stringent oversight and regulation to protect individual privacy rights.

Why This Matters Now

The exposure of Webloc's extensive surveillance capabilities highlights the urgent need for regulatory frameworks to govern the use of commercial data in law enforcement, ensuring the protection of individual privacy rights in an era of pervasive digital tracking.

Attack Path Analysis

The adversary initiated the attack by exploiting unencrypted data transmissions to intercept sensitive information. They then escalated privileges by manipulating IAM roles to gain broader access. Utilizing east-west traffic, the attacker moved laterally across the network to access additional resources. They established command and control channels through covert communication methods. Sensitive data was exfiltrated via unauthorized outbound traffic. Finally, the adversary impacted the organization by disrupting services and compromising data integrity.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The adversary exploited unencrypted data transmissions to intercept sensitive information.

Confidence:

Medium

MITRE ATT&CK® Techniques

Discovery

T1614

System Location Discovery

Resource Development

T1583.008

Acquire Infrastructure: Malvertising

Collection

T1430

Location Tracking

Defense Evasion

T1581

Geofencing

Defense Evasion

T1665

Hide Infrastructure

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST SP 800-53 – Use of External Information Systems

Control ID: AC-20

The use of external systems for geolocation tracking without proper authorization violates organizational policies on external information system usage.

PCI DSS 4.0 – Sensitive Authentication Data Storage

Control ID: 3.2.1

Collecting and storing geolocation data without proper safeguards may lead to unauthorized access to sensitive authentication data.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

Failure to implement policies addressing the use of surveillance tools like Webloc indicates non-compliance with cybersecurity policy requirements.

DORA – ICT Risk Management Framework

Control ID: Article 5

Utilizing unapproved surveillance technologies exposes the organization to ICT risks not accounted for in the risk management framework.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The deployment of surveillance tools without adequate risk assessment contravenes requirements for cybersecurity risk management measures.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Law Enforcement

Direct involvement in surveillance technology procurement and deployment raises operational security concerns regarding encrypted traffic monitoring and zero trust implementation requirements.

Government Administration

Surveillance technology adoption across agencies creates compliance gaps in NIST frameworks while exposing critical infrastructure to lateral movement and exfiltration vulnerabilities.

Telecommunications

Network infrastructure exploitation through advertising-based geolocation tracking demands enhanced east-west traffic security and egress policy enforcement to prevent unauthorized device monitoring.

Marketing/Advertising/Sales

Ad-tech ecosystem vulnerabilities enable mass surveillance capabilities, requiring multicloud visibility controls and anomaly detection to protect consumer privacy and prevent data misuse.

Sources

Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Datahttps://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html
Verified

Citizen Lab Exposes Webloc: Penlink's Global Ad-Based Geolocation Surveillance System Tracking Hundreds of Millions of Mobile Deviceshttps://beyondmachines.net/event_details/citizen-lab-exposes-webloc-penlink-s-global-ad-based-geolocation-surveillance-system-tracking-hundreds-of-millions-of-mobile-devices-z-i-j-f-t

Verified

ICE Buying Americans’ Location Data Under Scrutinyhttps://www.newsweek.com/ice-buying-americans-location-data-under-scrutiny-11627381

Verified

Cobwebs Technologies Joins PenLink to Expand its Digital Investigative Platformhttps://www.penlink.com/cobwebs-technologies-joins-penlink-to-expand-its-digital-investigative-platform/

Verified

Frequently Asked Questions

Webloc is a geolocation surveillance system that collects data from mobile apps and digital advertising to monitor the locations and movements of individuals globally.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially reducing the attacker's ability to exploit unmonitored pathways for lateral movement and data exfiltration.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Implementing Aviatrix CNSF could have limited the attacker's ability to intercept sensitive data by enforcing encryption on all data transmissions.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation could have constrained the attacker's ability to escalate privileges by enforcing strict access controls based on identity and context.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security could have restricted the attacker's lateral movement by segmenting workloads and monitoring internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control could have limited the attacker's ability to establish covert command and control channels by providing comprehensive monitoring across cloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement could have constrained the attacker's data exfiltration efforts by enforcing strict outbound traffic policies.

Impact (Mitigations)

Implementing Aviatrix Zero Trust CNSF could have reduced the scope of service disruptions and data integrity compromises by limiting the attacker's reach within the cloud environment.

Impact at a Glance

Affected Business Functions

Law Enforcement Surveillance
Immigration Enforcement
National Security Operations

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Geolocation data of hundreds of millions of mobile devices, potentially revealing sensitive personal information such as home addresses, workplaces, and movement patterns.

Recommended Actions

• Implement High Performance Encryption (HPE) to secure data in transit and prevent interception.
• Enforce Zero Trust Segmentation to limit lateral movement within the network.
• Utilize East-West Traffic Security controls to monitor and restrict internal traffic flows.
• Deploy Egress Security & Policy Enforcement to control and monitor outbound traffic, preventing unauthorized data exfiltration.
• Establish Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Unveiling Webloc: The Ad-Based Geolocation Surveillance Tool Used by Law Enforcement

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

System Location Discovery

Acquire Infrastructure: Malvertising

Location Tracking

Geofencing

Hide Infrastructure

Potential Compliance Exposure

NIST SP 800-53 – Use of External Information Systems

PCI DSS 4.0 – Sensitive Authentication Data Storage

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Law Enforcement

Government Administration

Telecommunications

Marketing/Advertising/Sales

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads