How Do Police Track Suspects Through Virtual Numbers?
Unveiling Technical Countermeasures
How investigators classify virtual numbers — not all are created equal
Before understanding how police track a number, you must understand what kind of number they are tracking. Each category leaves a different forensic footprint.
Five categories — five forensic profiles
- VoIP Caller ID Spoofing: The attacker manipulates the SIP
Fromheader at the signalling layer. The displayed number — often a bank or government hotline — is fabricated. The call usually cannot be called back. It leaves traces in SIP server logs, CDR records at the ingress gateway, and IP session data. - GOIP / SIM Box ("Mobile Relay"): A physical device located inside the target country. GSM or LTE modules hold local SIM cards. The device is remotely controlled over the internet from an overseas operator. The calls originate from a genuine local SIM — making them appear domestic — but the human controlling the call is abroad. The device requires a constant internet connection to receive commands.
- SIM Bank / Cat Pool (猫池): A centralised rack housing dozens to hundreds of SIM cards, connected to a server that exposes an API for sending and receiving SMS. Used for bulk account registration and verification code harvesting. The SIMs are genuine, but the entity operating them is not the registered subscriber.
- Fake Base Station (IMSI Catcher / Stingray): A rogue BTS that broadcasts on local GSM/LTE frequencies. Phones within range are forced to camp onto it. The device injects SMS or calls directly over the air interface — no carrier core network involvement whatsoever. It is the hardest to trace through conventional carrier CDRs because the traffic never enters the legitimate network.
- eSIM Virtual Cards / Cloud Phones: The phone number is virtualised — no physical SIM card exists. eSIM profiles are downloaded over the air, and cloud phones operate entirely on remote servers. The forensic trail shifts from physical SIM seizure toward provisioning logs, IP addresses associated with profile downloads, and cloud service account records.
Six countermeasure techniques — how the tracking actually works
Technique 1: Carrier Signalling-Layer Tracing SS7 / MAP / IMS / CDR
Technical principle: Every call and SMS traversing the mobile network generates signalling records. These include the calling number, called number, ingress gateway, egress gateway, IMEI, IMSI, Cell-ID, and timestamps. The Call Detail Record (CDR) database maintained by every carrier is the single most reliable source of trace data. For SS7-based networks, the MAP (Mobile Application Part) signalling messages — particularly the sendRoutingInfo and provideRoamingNumber operations — reveal the precise network path a call took. For IMS/VoLTE networks, the SIP signalling trace provides equivalent forensic data.
Investigative path: Obtain CDR for the target number → analyse the signalling chain → identify the originating network element or gateway → locate the physical device or trunk that originated the traffic. If the ingress is from an international gateway, the tracing continues through mutual legal assistance requests to the foreign carrier. If the ingress is domestic, the CDR narrows the source to a specific base station, broadband connection, or enterprise SIP trunk.
Technique 2: IP-Layer Tracing The fatal weakness of GOIP / VoIP
Technical principle: GOIP and VoIP devices may emit calls through local SIM cards or SIP trunks, but the control instructions — the commands telling the device which number to call and what audio to play — arrive over the internet. Every GOIP device maintains a persistent connection to a command-and-control server. To remain reachable despite dynamic IP changes, the device frequently uses a DDNS (Dynamic DNS) domain or connects to a fixed IP heartbeat server. This heartbeat is its single greatest operational vulnerability.
Investigative path: Identify the C2 server IP or DDNS domain from seized device firmware or network traffic analysis → obtain connection logs through legal process served on the DDNS provider or hosting company → map each connection to a broadband account IP → request subscriber information and physical installation address from the ISP → deploy traditional physical surveillance at the identified premises → seize the device.
Technique 3: IMEI Serial Number Correlation & Device Profiling
Technical principle: The IMSI (subscriber identity) is tied to the SIM card and can be changed in seconds. The IMEI (device identity) is tied to the physical handset or GOIP module and is relatively stable. Carriers can run correlation analysis on all signalling events occurring under the same IMEI — across different IMSIs, different times, and different locations.
Investigative path: Identify the IMSI associated with fraudulent activity → retrieve the IMEI from the CDR for that IMSI → query all historical CDR records for that IMEI → reconstruct the complete movement pattern of the device: every cell tower it connected to, every IMSI it ever used, every time window in which it was active → map the base station LAC/CI data to physical locations → derive the suspect's residential area, frequent locations, and operational rhythm.
Technique 4: Base Station LAC/CI Physical Positioning & Triangulation
Technical principle: Mobile networks measure the distance between a handset and a base station using Timing Advance (TA) in GSM and RSRP signal strength differentials across neighbouring cells in LTE. Each base station sector (identified by LAC/CI codes in the CDR) covers a specific geographic area. By combining TA values and multi-cell signal measurements, a device's location can be narrowed to a radius of tens of metres.
Investigative path: For a persistently active fraudulent number, extract the LAC/CI from the CDR → map it to the base station's physical coverage footprint → use multi-base-station triangulation data to narrow the area → deploy a portable IMSI-catcher or direction-finding equipment to the identified neighbourhood → conduct floor-by-floor signal strength measurements → locate the precise apartment or room. This is the method used to transition from "we know the building" to "we know the door."
Technique 5: Big Data Anti-Fraud Models & Multi-Source Data Collision
Technical principle: Individual data points — a call record, an IP address, a prepaid card top-up — are ambiguous in isolation. But when combined across dimensions, they produce a unique forensic signature. Anti-fraud platforms operated by the Ministry of Public Security and provincial centres ingest CDR data (call frequency, duration, called-number dispersion), financial transaction records (how the SIM cards were funded — prepaid recharge cards, cryptocurrency, mule accounts), and internet behaviour logs (VPN login timestamps, IP geolocation mismatches) and run correlation algorithms that surface anomalous patterns.
Investigative path: Abnormal call pattern triggers a model alert — high frequency, ultra-short duration, sequential dialling across non-contiguous number ranges → the system automatically cross-references the SIM card's funding source → if funded through a known mule account or bulk prepaid card purchase linked to a specific distributor, the financial link is flagged → simultaneous VPN login records showing the same account accessing the domestic network from an overseas IP while the SIM is active domestically confirm the GOIP relay pattern → the suspect cluster is handed to investigators as a prioritised lead package.
Technique 6: Terminal Device Forensics & Digital Trace Extraction
Technical principle: Once a GOIP device, SIM pool controller, or cloud phone server is physically seized, it undergoes full forensic imaging. The firmware, NAND flash storage, and RAM dumps are analysed for configuration files, connection logs, and residual communication records. Even if the device has been factory-reset, embedded flash memory frequently retains recoverable data.
Investigative path: Extract the C2 server IP addresses and port configurations from the device firmware → extract DDNS account credentials from configuration files or memory strings → recover chat logs from associated messaging apps that contain contact details of the "upstream" operator or the overseas controller → submit international mutual legal assistance requests to the jurisdiction hosting the C2 server → continue the investigation upward through the fraud syndicate's hierarchy. The seized device is not the end of the investigation. It is the beginning of the next phase.
Countermeasure-to-Virtual-Number-Type correspondence matrix
| Countermeasure | VoIP Spoofing | GOIP / SIM Box | SIM Bank / Cat Pool | Fake BTS | eSIM / Cloud Phone |
|---|---|---|---|---|---|
| CDR Signalling Trace | ✓ | ✓ | ✓ | ✗ | ✓ |
| IP-Layer Tracing | ✓ | ✓ | ✓ | ✗ | ✓ |
| IMEI Correlation | ✗ | ✓ | ✓ | ✓ | ✗ |
| Base Station Physical Triangulation | ✗ | ✓ | ✓ | ✓ | ✗ |
| Big Data Multi-Source Collision | ✓ | ✓ | ✓ | ✓ | ✓ |
| Terminal Device Forensics | ✗ | ✓ | ✓ | ✓ | ✗ |
The matrix reveals an important pattern. No virtual number type is immune to all countermeasures. GOIP and SIM Bank operations are the most exposed — vulnerable to five of six techniques. Even the fake base station, which bypasses carrier infrastructure entirely, remains detectable through IMEI correlation, physical triangulation using direction-finding equipment, and big data models that detect the anomalous absence of legitimate network registration preceding the spoofed messages. eSIM and cloud phones narrow the forensic surface but remain fully traceable through CDR analysis, IP tracing, and the big data models that cross-reference provisioning logs with financial and behavioural data.
Full case walkthrough: how a GOIP den was dismantled
🔍 The takedown — step by step
Day 1 — 14:37: The municipal anti-fraud big data platform triggers a high-priority alert. A single IMSI is placing calls at a rate of 12 per minute across non-contiguous number prefixes — a pattern that no human caller could produce. The called-party numbers are all within the same city. The call duration distribution shows 80% of calls under 5 seconds: the signature of a robocall operation dialling sequentially and only connecting when a human answers.
Day 1 — 15:10: Analysts pull the CDR for the target IMSI. The LAC/CI data maps to a residential base station covering approximately six apartment buildings in a dense urban district. The IMEI associated with the IMSI is extracted. A retroactive query on that IMEI reveals it has been used with 14 different IMSIs over the past 72 hours — a clear GOIP pattern where SIM cards are rotated to avoid rate-limiting and blacklisting.
Day 1 — 16:45: The anti-fraud platform cross-references the broadband accounts associated with the geographical cluster. One account — a residential fibre connection registered to a name with no prior criminal record — shows sustained outbound UDP traffic to a known overseas IP address on non-standard ports. The traffic pattern matches the heartbeat signature of the "GoIP-ARM" firmware variant. The IP address belongs to a VPS hosted in a Southeast Asian data centre known to law enforcement as a C2 hub for multiple prior GOIP cases.
Day 1 — 19:20: The broadband installation address narrows the target to three adjacent buildings. A surveillance team is deployed to the exterior. No entry has been authorised yet — the team is mapping entry and exit points, window positions, and potential escape routes.
Day 2 — 08:00: A portable radio frequency detection unit is deployed in the stairwell of the primary target building. The device measures GSM/LTE signal strength across the 900 MHz, 1800 MHz, and 2100 MHz bands. On the 14th floor, the unit registers an anomalous concentration of multiple active GSM channels — far exceeding the normal signal profile of residential mobile phone usage. The signal strength peaks at the door of unit 1403.
Day 2 — 09:30: The raid is executed. Inside unit 1403, investigators find: 20 GOIP gateway devices (each with 8 SIM slots — 160 active SIM cards), approximately 300 additional SIM cards in plastic organisers labelled by carrier and number prefix, four 4G routers configured with multiple DDNS domains, a laptop displaying the GOIP management interface showing real-time call statistics, and a notebook containing handwritten C2 server addresses and login credentials.
Days 3–14 — Forensic extraction: The laptop hard drive and GOIP firmware are imaged. Forensic analysis extracts: the full list of C2 server IPs and DDNS domains used by the operation, Telegram chat logs with the overseas controller containing payment records in cryptocurrency, the controller's wallet addresses, and instructions for SIM card rotation schedules. The DDNS provider is served with a legal request and provides connection logs showing the overseas IP addresses that accessed the management interfaces.
Ongoing: The C2 server IPs and cryptocurrency wallet addresses are forwarded through Interpol channels to the host country's law enforcement. The upstream investigation continues.
What developers must understand — three hard truths
⚠️ Three things every technologist building communication tools must internalise
- Technology neutrality does not protect malicious use — and it does not protect the developer who knew. If you write GOIP control software, a SIM pool management API, or a cloud phone provisioning system, and that software is used in a fraud operation, you are not automatically liable. But if the prosecution can establish that you knew or should have known the software was being used for fraud — through your communication with users, your pricing model, your evasion features, or your failure to implement know-your-customer checks — the aiding criminal activity offence becomes very real. The 2025 Opinion's explicit inclusion of "platforms that offer bulk receipt and transmission of SMS verification codes" as a basis for inferring knowledge is directly relevant here.
- "Anonymity" is relative — not absolute. Every communication event generates a minimum of three to five independent data traces across different systems: the carrier CDR, the IP session log, the device IMEI, the base station location record, and the financial transaction funding the SIM card. Making one of these traces anonymous does not break the chain. Multi-source data collision — the core methodology of modern anti-fraud platforms — is specifically designed to defeat single-point anonymisation. A GOIP device that rotates SIMs but uses a fixed IMEI leaves a trace. A VoIP call that spoofs the caller ID but originates from a fixed IP leaves a trace. The adversary is not your single countermeasure; it is the correlated whole of them.
- Compliance is your actual shield. The only reliable way to avoid criminal exposure for communication tool development is to operate within a documented, lawful framework. Research SMS and VoIP protocols in isolated lab environments using your own legally acquired SIM cards and numbers. Test your systems on authorised, licensed infrastructure. If your tool is used in production, implement user registration, identity verification, and abuse reporting mechanisms that demonstrate you are not wilfully blind to criminal use. Compliance is not a checkbox at the end of development. It is a design requirement that determines whether your code becomes a product or an exhibit.
Conclusion: the myth of the invisible number
A virtual number is not an invisibility cloak. It is, at best, a thin layer of operational friction — one that slows an investigation by hours or days, not one that prevents it. In the era of holographic telecom surveillance, multi-source big data collision, and real-time police-carrier joint operations, every illegal communication leaves an indelible trail. The CDR records the signalling. The IP logs record the control channel. The IMEI serialises the device. The base station triangulation fixes the location. The financial transaction traces the funding. The forensic image preserves the operational history. None of these traces can be fully erased by the perpetrator — because most of them are not under the perpetrator's control.
“The traces are always there. The only question is whether anyone is looking. And in 2026, the answer — increasingly, automatically, and across jurisdictions — is yes.”