The men who can monitor almost anyone are hard to find. Their company has existed for more than 20 years, yet hardly anyone knows it. What they offer remains invisible and mostly unnoticed: their technology can locate mobile phones worldwide. From afar and in secret, it allows one to query who was where, when, and for how long.

There are hardly any traces of the company’s managing director and co-owner on the internet, not even a photo. In a video call, he is the only one who does not turn on his camera. He seems like a phantom spying on the world from the shadows.

Officially, his company First Wap is based in Jakarta, the capital of Indonesia, and in Dubai. But in early summer, the managers traveled to the most important trade fair of their industry in Prague. The “ISS World Europe” is a closed event. Journalists are not welcome.

But undercover reporters from a team coordinated by the investigative organization Lighthouse Reports managed to enter using a cover story. The journalists posed as brokers on a shopping tour for clients from West Africa — for example from Niger, one of the poorest countries in the world. After a military coup in 2023, the EU imposed strict sanctions on the junta. In Germany and other EU states, export licenses are required for the delivery of surveillance software. Buyers from Niger would be excluded.

The reporters’ target was the First Wap booth in one of the back rooms. There, the company advertised, among other things, “Location Tracking,” meaning the locating of target persons. Their system, which can do even more, is called Altamides. Users only have to enter a phone number, and the program immediately spits out the location of the device.

As soon as particularly delicate questions came up at the booth, the responsible staff quietly switched from English to their native language, German. The discreet managing director introduced himself as Jonny G., born in Passau. His head of sales is Günther R., who has been with the company only for a few years. He is Austrian, as was the company’s founder Josef F., who died in 2024. F. came from a mountain village in Tyrol, worked for Siemens, and then built a globally operating surveillance company.

A large dataset now shows: the software Altamides was used for many years for unethical or even illegal purposes. The explosive dataset is one of the largest yet from the sealed-off surveillance industry. It documents more than 1.5 million tracking attempts in 168 countries and regions around the world, mainly between 2007 and 2014. Around 14,000 mobile numbers were located with First Wap technology during that period — some sporadically, some hundreds of times — including in Germany and Austria.

The marketing narrative of the industry has always been: they sell only to governments — for the legal use of the technology in law enforcement, for the hunt for terrorists and criminals. The reality is darker. Software from the Israeli NSO Group has repeatedly been found on the phones of government critics, human rights activists, and journalists, including in Hungary and Greece. As recently as this spring, spyware from the Israeli manufacturer Paragon was found on the mobile phones of Italian journalists.

The list of targets in the First Wap dataset also suggests massive abuse of the surveillance technology. Lighthouse, DER SPIEGEL, ZDF, and other investigative partners were able to match around 1,500 monitored numbers to their users and spoke to more than 100 of them.

“This shocks me, I find it unacceptable.”

Among them are international investigative journalists, prosecutors, and ministers. A former prime minister of Qatar is on the list, as is Asma al-Assad, the wife of the former Syrian ruler. Also oligarchs, diplomats, bankers, and top managers. For example, U.S. entrepreneur Anne Wojcicki, founder of the start-up 23andMe and ex-wife of Google founder Sergey Brin, who was tracked around 1,500 times. A board member of the Italian oil company Eni, a senior Airbus employee, and a well-known Formula 1 blogger were also located. Even culture was not spared: the number Hollywood actor Jared Leto uses for his Snapchat account is on the list — as is that of Austrian singer Wolfgang Ambros.

They were all located with First Wap’s Altamides system, sometimes resulting in extensive movement profiles. None of the victims likely suspected that their privacy had been violated for years; most reacted surprised and outraged. “This shocks me, I find it unacceptable,” said a German TV producer and director. He now wants to examine legal steps.

There were a total of 4,264 tracking attempts for German numbers during the years covered by the material, 1,276 of them inside Germany. One query led to the Paul-Löbe-Haus in Berlin, directly next to the Reichstag. Members of parliament have their offices there; Bundestag committees meet inside. Another location query took place in or directly adjacent to a BND (Federal Intelligence Service) building in Berlin. In both cases, the numbers could not be assigned to a specific owner. Often, however, this was different. One trail even led to the Vatican.

The Hunt for the Vatican Whistleblower

The subject lines of internal emails show that, in spring 2012, panic suddenly broke out. “Urgent,” they said, and: “Drop everything!” An Italian intermediary had found a promising new Altamides prospect who requested a demonstration of the surveillance technology. Sometimes the employees who were to enable this discreetly abbreviated the potential new customer as “V,” sometimes they wrote it out. “Vatican visit,” one email read.

The intermediary reported to his colleagues that he was asking the church officials for sample numbers for a test run. Apparently, he received them promptly.

Four days later, tracking of two mobile phones began. Both belonged to Gianluigi Nuzzi, an Italian investigative journalist. His specialty is revelations from the Vatican. A few years earlier, his book “Vatikan AG” had made headlines worldwide, exposing corruption and scandalous financial dealings at the Vatican Bank.

Now he was on the verge of publishing his next bombshell. “His Holiness” was based on secret letters from the German pope Benedict XVI, which had disappeared from his apartment. Nuzzi described intrigues and power struggles. The scandal became known as “Vatileaks.” Tension around St. Peter’s Basilica was correspondingly high.

Nearly 200 times, the author’s whereabouts were queried in the following days, at times automatically every hour. Just under a week later, Vatican police arrested Nuzzi’s most important source — the pope’s then-butler. The next day, the continuous surveillance of Nuzzi ended — interest seemed to have faded. Whether there was a direct connection between the locating operations and the arrest cannot be determined from the data and emails.

In summer, DER SPIEGEL met the journalist in an elegant private club in Milan and showed him his movement profile from the First Wap data. Nuzzi recognised his former home address, various places in Rome, even locations near the Vatican. He had been shocked after his source was arrested, he said. He had, of course, taken precautions and expected to be monitored — but not in this way.

“This method was more productive than sending a van with agents to follow me.” It was good, he said, that the operation was now becoming public. “This is disturbing — we should be locating our enemies, not journalists.”

The German managing director of First Wap could at least have known about the surveillance of the Vatican whistleblower. He was personally involved by email: An employee would “set up the tracking for the two +39 numbers,” he wrote to the intermediary. After the meeting with Vatican officials, the intermediary reported back that the presentation had gone well, the potential customer was “happy.”

The Vatican left an inquiry about the matter unanswered. In a video call with the reporters, the First Wap managing director said he had no idea who Nuzzi was and knew nothing about any connection to the Vatican. The head of the intermediary company explained that his firm certainly had not offered the program to the Vatican; he knew nothing of meetings with Vatican officials.

First Came the Pings, Then the Killers

Damning traces from the material also lead to Africa. According to the First Wap data, numbers in South Africa were repeatedly queried in spring 2012. One belonged to the driver and bodyguard of Rwanda’s former intelligence chief. That man had fled to South Africa after a dispute with ruler Paul Kagame. Another number was that of the wife of a former Rwandan general, who also lived in exile there — and who, together with his compatriot, organised political resistance against the regime.

The First Wap technology was apparently to be used to determine the habits and locations of the exiles. A Rwandan informant from the army told the investigative team that he had received an assassination order from Rwanda’s then-military intelligence chief targeting the compatriots in South Africa. But the job was apparently carried out by someone else. A little more than a year after the Altamides location operations, the ex-intelligence chief was found strangled in a hotel in Johannesburg. Apparently, it was a contract killing by the Rwandan regime.

Rwanda has always denied this. A government spokesman also said the country had never possessed such software nor sought to acquire it.

From internal emails and numerous conversations with former First Wap employees, further deals and discussions emerge with countries in which human rights, freedom of expression, and freedom of the press are threatened or virtually nonexistent.

“Gallery of Rogue States”

Belarus is among them, as are Azerbaijan, Malaysia, and Indonesia, but also Nigeria and the United Arab Emirates. Several former employees interviewed named additional problematic clients. “We had to trust that our customers would use the product for ethical purposes,” one former employee said. Another said that First Wap’s leadership had barely any concerns or restrictions regarding customers: “There were no red lines.”

Internal emails from a British company, which at one point attempted to act as an intermediary — for example with the rulers of Syria, Algeria, Morocco, and Thailand — support this view. Particularly revealing is a message regarding support for the ruling family in Bahrain. Shortly before, organisers had canceled a planned Formula 1 race in the country due to political unrest. With the Altamides software, authorities could identify “negative elements” in the country or elsewhere, the email said, helping to “combat the very negative press and media.”

Ronald Deibert, one of the world’s leading experts on surveillance technologies, calls it a “gallery of human rights–abusing rogue states.” First Wap apparently had no scruples about acting as a service provider to despots.

First Wap rejected all accusations when asked, most recently through a lawyer: “We emphatically reject allegations that we offer an unlawful business model or promote, support, or enable unlawful use.” They said they sell their products only to state entities that have a “legal mandate.” In any case, the programs are operated by clients; after installation, the company has “no access.” As a company, they had “not made presentations to states such as Rwanda, South Africa, or the Vatican.” Even for resellers, there had been “strict conditions.” If violations had occurred, there was reason “to investigate them and sanction them accordingly.”

The British company also denied being involved in the sale or use of “inappropriate surveillance programs.”

The Red Bull Trail

In fact, Altamides was also used in the private sector. More than 20 mobile numbers can be matched to current and former employees of the Austrian beverage giant Red Bull. Most were executives; all worked for a media subsidiary of the energy drink corporation, the Red Bull Media House. The company operates, among other things, the television channel Servus TV.

Almost 1,000 successful queries can be documented, spanning nearly six years. The location operations took place in the USA, Thailand, Italy, and Mauritius — but primarily in Austria and Germany. The affected individuals were tracked not only during working hours but also while on vacation, visiting friends. With some, the queries were automated, every three hours.

One person was spied on particularly intensively: Andreas Gall, then Chief Technology Officer of the Red Bull media subsidiary — and, alongside company founder and now-deceased billionaire Dietrich Mateschitz, one of the managing directors. Gall’s number alone was queried more than 200 times, 166 of those successfully.

On an autumn day, he met DER SPIEGEL in a café in Munich and followed his own traces on a world map: Las Vegas, Madrid, Darmstadt, and again and again Fuschl am See, the headquarters of the company.
“This is eerie and shocking,” Gall said. “Something like this needs to be punished.”

“I would have stopped it.”

Who spied on him and the other Red Bull employees is not revealed by the material. What seems clear is that the years-long surveillance within the Mateschitz corporate empire was not based on any court-approved monitoring order. It was therefore likely illegal under both German and Austrian law.

“Altamides is dangerous,” said a former First Wap employee. “For anyone who has access to it, it is very tempting to misuse it for personal purposes.”

There are indications that First Wap’s Austrian founder Josef F. and Red Bull patriarch Mateschitz knew each other. Several people from the Red Bull orbit remember “Josef” or “Sepp.” Former managing director Andreas Gall says the location technology had been used at sporting events. But he had “of course no idea” that it had been used against him and his colleagues — “I would have stopped it.”

Red Bull stated that First Wap had supported its media house in 2008 and 2009 on three small projects. Motorcycles and snowmobiles had been tracked using transponders, and one project involved a “small market analysis.” All assignments and services amounted to around €6,000 in total. “Any collaboration beyond this is not evident to us.” Moreover, there were “no documents” indicating that “Red Bull, the Red Bull Media House, or Mr. Mateschitz had knowledge of the alleged monitoring of employees.”

In a video call with the reporters, the German First Wap chief also denied this case: One could not locate anyone in Europe, he said. It was illegal, and in any case they did not have the necessary access.

The dataset, however, suggests the opposite. According to the data, there were close business ties until recently with the state-run Liechtenstein telephone provider Telecom Liechtenstein. Its network apparently served for decades as an entry point for First Wap’s location queries — including in Europe. Vatican whistleblower Nuzzi, Red Bull manager Gall, and numerous other victims were, according to the dataset, tracked via Liechtenstein.

When confronted with this, a spokesman for Telecom Liechtenstein said that “due to the serious allegations,” the company had “immediately suspended” its business relationship with First Wap and “blocked all services until the allegations can be clarified.” Should they prove true, the cooperation would be “terminated without notice.”

Business ‘in the dark grey area’

Back to Prague, to the surveillance trade fair where First Wap hopes to win new customers and does not expect undercover reporters. Has the company changed its course since the earlier surveillance scandals? Does it still sell its location-tracking technology? Even to highly problematic customers?

The First Wap bosses have arrived. Even the German managing director Jonny G. is present — the man about whom hardly anything can be found in public sources. The phantom. After the death of the flamboyant founder, he is the company’s new power figure. The Austrian head of sales Günther R. stands at the booth as well. Two inconspicuous middle-aged men, muted business suits, ties.

The supposed broker for West African clients reports a problem. There are protests in front of a mining site, disrupting business. The head of sales immediately enters the negotiation. He wants to know whether the ringleaders are known or need to be identified through surveillance. They have solutions for that as well.

What is important, he says, are good connections to the ruler and the ability to install their technology at local network operators. Regarding a potential deal with sanctioned Niger, the First Wap salesman says: “We are the only ones who can deliver.” The Jakarta location made that possible. And what about the export license required for a country under sanctions? “We’ll find a way.”

To discuss this, the salesman and his boss switch briefly from English to German.
“If we don’t know anything about it…” R. says, looking meaningfully. They agree to handle the deal through employees in Jakarta. Otherwise, the managing director says, it is too “sensitive.” He calls it a deal in the “dark grey area” and laughs.

“I could go to prison.”

The men talk at length at the booth about how best to conceal the arrangement, especially the payments. No money from Niger may flow into First Wap accounts. The intermediary could establish a front company in South Africa, for example. That company would then receive contractual authorisation to sell into an additional, unspecified country — that is the idea. This way, they could deny knowing the actual end customer.

As an Austrian, the salesman says, “I could go to prison,” and the same applied to his German boss.

When the reporters later confronted the two managers in a video call with these statements, they emphasised that they had never finally agreed to the problematic deal. Through their lawyers, they said that “misunderstandings” had apparently occurred at the Prague booth, which “may have led to incorrect interpretations.” First Wap also stressed that all customers were vetted before any contracts were concluded.

At the booth in Prague, though, there seemed to be little hesitation about arranging the deal. The salesman even joked about a competitor who had declined multimillion-euro contracts:
“Cool! I want to have such a moral standpoint too.”

What mattered to him was staying under the radar, minimising the risks. As a cautionary example, he mentioned Israeli providers offering far more sophisticated espionage technology. But those companies were “all so public now, you can read about them in the newspapers.”

His verdict: “That is not good.”

Other contributors: Elena Debre, Bashar Deeb, Tomas Statius, Sabrina Slipchenko, Sarasvati Nagesh Thuppadolla, Tessa Pang, Wael Eskandar, Ariadne Papagapitos, Daniel Howden, Antonella Napolitano, Dayo Aiyetan, Morgan Childs, Abdou Malah, Michela Wrong, Maria Christoph, Dajana Kollig, Frederik Obermaier, Hakan Tanriverdi, Lorenzo Bodrero, Henrik Bøe, Jim Briggs, Beatrice Cambarau, Olivier Clairouin, Artis Curiskis, Jörg Diehl, Benjamin Dyrdal, Per Øyvind Fange, Verdiana Festa, ZDF Frontal, Janine Große, Nadia Hamdan, Pavla Holcova, Tobias Holub, Uwe Jürgens, Monika Köstinger, Al Letson, Undine Meinke, Ruth Murai, Sophie Murgaia, Christoph Neuwirth, Lu Olkowski, Yosea Arga Pramudita, Kamila Ramezani, Daniel Retschitzegger, Morten Rød, Lea Rossa, Per-Kåre Sandbakk, Avi Scharf, Daniel Schulman, Marianne Szegedy-Maszak, Taki Telonidis, Praga Utama, Caroline Utti, Sam Van Pykeren, Adam Vieira, Anne Vinding, Swantje Wehr, James West, Zsolt Wilhelm