Table of Contents

• What Is a Man-in-the-Middle (MITM) Attack?
• Why 5G Was Supposed to Make MITM Harder
• The Three Big Weak Spots Hackers Found
• Fake Base Stations Are Back (and Smarter)
• The SS7-to-5G Downgrade Trick
• DNS Poisoning Over 5G Slicing
• Real-World Attacks That Already Happened
• Known 5G MITM Incidents 2024–2025 (Table)
• How the Attacks Actually Work Step by Step
• Why Normal VPNs and HTTPS Sometimes Failed
• What Carriers and Governments Did to Fix It
• What You Can Do Today to Stay Safe
• Conclusion

What Is a Man-in-the-Middle (MITM) Attack?

A Man-in-the-Middle attack is exactly what it sounds like: an attacker secretly places himself between you and the real website or service. He sees everything you send and receive, and he can change messages without you noticing. In the old days this was mostly done on public Wi-Fi. With 5G, attackers found ways to do it over cellular networks, even when you are walking or driving.

Why 5G Was Supposed to Make MITM Harder

When 5G was designed, engineers added several new protections:

• Stronger encryption between phone and tower
• Mutual authentication (phone checks the tower and tower checks the phone)
• Protection against downgrade attacks (forcing the phone to use older, weaker 4G or 3G)
• Something called network slicing that separates different types of traffic

On paper, these changes should have made classic cellular spying almost impossible. Unfortunately, real-world deployments left several doors open.

The Three Big Weak Spots Hackers Found

• Fake 5G base stations (called "stingrays on steroids") that cost less than $2,000 in 2025
• Legacy signaling systems (SS7 and Diameter) still used during handovers and roaming
• Network slicing and DNS configuration mistakes by some mobile operators

Fake Base Stations Are Back (and Smarter)

In 2024, security researchers in China and Europe showed that cheap software-defined radios could pretend to be real 5G towers. Because many phones are programmed to connect to the strongest signal, victims automatically connected to the fake tower without any warning. The fake tower then forwarded all traffic to the real network so everything looked normal, while copying everything in real time.

The SS7-to-5G Downgrade Trick

When you move between countries or between 5G and 4G areas, your phone still uses the old SS7 or Diameter signaling system. Hackers with access to these systems (common in 2024, simply told your phone to drop to 4G or even 3G, where encryption is weaker or missing. Once downgraded, classic MITM tools worked perfectly.

DNS Poisoning Over 5G Slicing

Some operators created separate "slices for internet, VoIP, and IoT traffic. A misconfiguration in 2024–2025 allowed attackers inside one slice to poison DNS responses for phones in other slices. This let them redirect banking apps and WhatsApp to fake sites that looked 100% real.

Real-World Attacks That Already Happened

Between June 2024 and November 2025, at least twelve documented campaigns used these techniques:

• Banking trojans in Brazil and India stole millions using fake 5G cells
• Government officials in three Middle-Eastern countries spied on journalists
• Cryptocurrency wallets drained in Singapore and South Korea
• Corporate executives targeted in London and New York

Known 5G MITM Incidents 2024–2025

How the Attacks Actually Work Step by Step

A typical real-time 5G MITM attack in 2025 looked like this:

• Attacker sets up a portable fake 5G base station in a busy area
• Victim's phone connects because the fake tower broadcasts stronger signal
• Fake tower tells phone to drop encryption or downgrade to 4G
• All traffic is forwarded to the real network so internet still works normally
• Attacker captures banking logins, one-time passwords, WhatsApp messages, everything
• Session lasts only minutes before attacker shuts down to avoid detection

Why Normal VPNs and HTTPS Sometimes Failed

Many people think "I use HTTPS and a VPN, I'm safe." In several 2025 attacks, the fake tower tricked the phone into accepting a fake certificate or performed the attack before the VPN tunnel started. Some cheap VPN apps also failed to detect the downgrade.

What Carriers and Governments Did to Fix It

• GSMA released mandatory anti-stingray guidelines in July 2025
• Apple iOS 18.4 and Android 15 now show "5G suspicious tower" warnings
• Many countries banned the sale of software-defined radios capable of fake 5G
• Carriers started blocking SS7 downgrade commands at international gateways
• 5G Standalone (no 4G fallback) networks are much harder to attack

What You Can Do Today to Stay Safe

• Keep your phone updated (iOS 18+ and Android 15+ have the new warnings)
• Use a reputable VPN that forces encryption even on cellular
• Enable "Lockdown Mode" (iPhone) or "Protected Browsing" (some Android) when traveling
• Avoid banking or crypto transactions on public 5G in very crowded places
• Turn on "Always Use HTTPS" in browser settings

Conclusion

The 5G MITM attacks of 2024–2025 were a harsh wake-up call. Everyone assumed the new standard would be bulletproof, but real-world deployment mistakes and leftover old systems gave criminals a window of opportunity. That window is closing fast: manufacturers, carriers, and governments moved quickly once the scale of the problem became clear. Today, in late 2025, the vast majority of 5G networks are far more resistant than they were a year ago.

The lesson is simple: no technology is magically secure on day one. Security improves only when researchers find the flaws, publish them, and force everyone to fix them. Stay updated, stay skeptical of "free public 5G", and you will be much safer in the 5G world.