Before the internet existed, a massive network already connected the world: AT&T’s analog phone system. It used audible audio tones to control its own long-distance calls, and that turned out to be its greatest weakness.
A group of curious teenagers, blind kids and amateur engineers discovered that, with the right whistle, they could travel the network like ghosts. Five decades later, the ghosts changed instruments, but they’re still circulating.
Until the 1990s, the global phone system was dominated by AT&T and its national counterparts. It was the largest engineering project of the 20th century before the internet: a network of electromechanical switches (later electronic, with the ESS, Electronic Switching Systems) covering entire continents over copper wire and relay-based central offices.
The defining feature, and the fatal flaw, was in-band signaling: the commands that controlled a call (set up, tear down, route) were audio tones transmitted on the same frequency band as the human voice. The switch had no separate control channel; it listened to the same wire that carried your conversation.
An idle long-distance trunk continuously emitted a 2600 Hz tone. When someone placed a call, the tone stopped, signaling “line in use”. When the call ended, the tone returned, signaling “trunk free, next customer please”. The consequence was simple and devastating: if you could generate 2600 Hz into the receiver, the switch believed your call had ended, without you hanging up.
AT&T published all the technical details in the Bell System Technical Journal (November 1960, “Signaling Systems for Control of Telephone Switching”). The assumption was naive but honest: no ordinary customer would own a calibrated tone generator, and Bell engineers were trustworthy men. It took one generation to turn that trust into a billion-dollar hole.
Josef Carl Engressia Jr., born May 25, 1949 in Richmond, Virginia, was the first phreaker recorded by history. He was born blind and had absolute pitch.
By age 4 he already spent hours on the phone. He soon grew fascinated by the thousands of distinct tones the network produced, and started listening to them for hours every day. 2600 Hz wasn’t a common tone on regular calls; he only began to hear it after spending long stretches with the phone off the hook, listening to the silence of the idle long-distance trunk. When he recognized that specific tone, he started whistling it back: he didn’t yet know what it did, but he knew it was a valid system signal. He had found 2600 Hz at age 7, in 1957, thirteen years before Captain Crunch and the cereal whistle. Even before the whistle, still a kid, Joe found he could replicate rotary-dial pulses with the hookswitch and bypass the lock his babysitter clamped on the phone: the first practical record of tap dialing.
A rare ability (estimated at 1 in 10,000 people) to identify and reproduce any musical note without a reference. Someone with absolute pitch hears a sound and knows immediately whether it’s A-440Hz, E-330Hz or G#-415Hz, the same way most people recognize colors. Joybubbles’ gift was even rarer: he could whistle any specific frequency on demand, with just a few hertz of variation. For a phone system that controlled calls with calibrated tones, that was handing him the keys to the vault.
In 1968, a student at the University of South Florida, Joe was the subject of a campus newspaper article that nicknamed him “The Whistler”. AT&T sued the university. In 1971, Ron Rosenbaum interviewed him for the Esquire piece “Secrets of the Little Blue Box”, the same text that would inspire Steve Wozniak to build the first Blue Box.
Joe never used his skills for fraud: he wanted to understand the network. In 1975, after years of friction with the FBI, he was hired by Mountain Bell in Denver as a network troubleshooter, a role he held for seven years until moving to Minneapolis in 1982. In May 1988 he “reverted to childhood” as a way to process sexual abuse he had suffered as a child, declaring himself permanently 5 years old. In 1991, he formalized the change in court and legally adopted the name “Joybubbles”. He died on August 8, 2007 in Minneapolis of congestive heart failure. Worth listening to NPR’s obituary: “Joe Engressia, Expert ‘Phone Phreak,’ Dies” (2007).
The oldest phreaking technique used no special tones or whistles, just a well-trained finger. Called tapping or switch-hook dialing, it turned the phone’s hookswitch into an improvised dial. Joybubbles learned the trick as a kid, before he ever discovered the magic whistle.
To understand why the trick works, it helps to see what it was imitating: the rotary dial telephone (alongside). Each digit spun the disk to a finger stop; on its way back, an internal cam rotated and its teeth struck a copper pawl, generating the electrical pulses the switch counted.
Dialing “5” meant sending 5 pulses at a cadence of 10 pulses per second (60ms open / 40ms closed). Phreakers found the shortcut: tapping the hookswitch repeatedly opens and closes the same circuit. Same logic as the dial, no dial needed. Phones with a locked rotary? Bypass via hookswitch. Hotel payphones with no dial? Tap the hook. It was the most democratic trick in phreaking, any finger learned it in half an hour.
The numbers above describe the Bell US cadence: each pulse is 60 ms break / 40 ms make (60% circuit open, 40% closed), at 10 PPS. Under the CCITT standard that Telebrás (the Brazilian state telecom monopoly) inherited in 1968, the ratio is different: 67 ms break / 33 ms make. Same frequency (10 pulses per second), different internal distribution.
In practice, a trained finger could fool any switch, because relays had wide tolerance for deviation. But the difference explains why imported blue boxes and dialers had to be recalibrated for Brazil, and why BR phreakers ended up designing their own circuits instead of cloning American schematics without adjustment.
Joybubbles was the first to notice, but not the only one. In 1968, engineer John Draper met a blind sailor who gave him the tip: the plastic toy whistle that came as a prize in Cap’n Crunch cereal played exactly 2600 Hz. Blow it into the mouthpiece and the long-distance trunk surrendered. The world got a Captain Crunch; AT&T lost control.
When the whistle hit the receiver, the switch believed the call had ended, but the line stayed open. You were still connected to a live long-distance trunk, only now as if you were the switch yourself, free to issue direct commands.
Once the 2600 Hz whistle “opened” the trunk, you had to tell the network where to dial. AT&T used a signaling system called CCITT5 / Multi-Frequency (MF): each digit is represented by two simultaneous tones, picked from a matrix of 6 frequencies (700, 900, 1100, 1300, 1500, 1700 Hz).
The Blue Box, popularized by Steve Wozniak and Steve Jobs before they founded Apple, was a device that generated those tone pairs. Ron Rosenbaum’s article “Secrets of the Little Blue Box”, published in Esquire in 1971, exploded the popularity of the hobby.
On top of the 10 digits, the MF protocol carries two control tones that tell
the remote switch when an address starts and ends. Without them, the digit sequence is
just noise.
• KP (Key Pulse, tones
1100 + 1700 Hz) opens the packet: it says
“heads up, digits are coming”. Always the first tone sent.
• ST (Start, tones
1500 + 1700 Hz) closes the packet: “I’m done, you
can route now”. Always the last.
The full sequence for a call is KP · digits · ST. In the
simulator below, start with KP, dial the destination digits, and finish with ST.
| 700 | 900 | 1100 | 1300 | 1500 | |
|---|---|---|---|---|---|
| 900 | 1 | ||||
| 1100 | 2 | 3 | |||
| 1300 | 4 | 5 | 6 | ||
| 1500 | 7 | 8 | 9 | 0 | |
| 1700 | KP | ST |
While AT&T, BT and European carriers ran CCITT5 with in-band MF tones, in 1968 Brazil adopted the R2/MFC variant 5C signaling. The difference is architectural, not cosmetic: in R2, MF tones move between registers (sender/receiver only allocated during setup), never on the voice channel. Supervision runs at 3825 Hz out-of-band, above the PCM codec passband, filtered out before it ever reaches the mouthpiece.
Playing 1380 + 1500 Hz into the microphone was just noise. The blue box that seized trunks in New York and London died silent in Brazil.
The Brazilian blue box only worked over international 0800 routes that terminated on still-live C5 trunks: Mexico, Costa Rica, Guatemala, Hong Kong. AT&T USADirect (0800-890-0288), MCI WorldPhone (0800-890-0012) and Sprint Express (0800-888-8000) were literally the doors BR phreakers used to cross the ocean.
The mechanism is the third scenario in the diagram below: on the BR leg, the Blue Box’s MF tones travel as plain voice and cause no harm: R2 keeps signaling separate. But the 0800 gateway repackages the call onto an international C5 trunk, where voice and commands share the same channel again. Out there, the same tones become commands and seize the trunk. The victim is the foreign carrier, crossed via Telebrás without a billing record. For everything else, R2 was architectural defense. Technical intro to R2: soft-switch.org/unicall/mfcr2/ch02.
Between the 1960s and 1980s, phreakers built dozens of color boxes, each exploiting a different feature of unencrypted signaling protocols. Hardware was simple: tone generators, resistors, capacitors, modified handsets, or later PCs with sound cards. Each color attacked a different vector: billing, authentication, conferencing, coin signaling.
| Box | Signal exploited | Function | Era / Context |
|---|---|---|---|
| Blue | 2600 Hz + MF (CCITT #5) | Seize a long-distance trunk and dial freely on premium routes. | 1970s · Draper / Wozniak / Jobs |
| Red | 1700 + 2200 Hz (coin) | Emulate coin-deposit signal in payphones, getting credit without paying. | 1970s–80s · US payphones |
| Black | Resistor + capacitor in series | Block the billing pulse on incoming calls; switch thinks the line is still ringing. | 1970s · electromechanical switches |
| Green | Coin-collect / coin-return tones | Remotely command international automated payphones (coin-control signaling). | 1970s–80s · long-distance payphones |
| Clear | Inductive mic + amp | Eavesdrop on the muted side of payphones that silenced audio until coin insertion. | 1970s · rare models |
| Violet | Series resistor | Hold the line in fake off-hook state, suppressing rings. | 1970s · domestic variant |
| Orange | FSK CallerID 1200 baud | Inject fake Caller ID into the recipient’s line before the ring. | 1980s–90s · social engineering |
| Beige | Test phone with alligator clips | Homemade lineman’s handset: tap directly into the street junction box. | 1980s · technical / clandestine |
| White | CCITT R2 via Amiga | Australian variant using a computer to generate international R2 signaling. | 1990s · Oceania |
The international color-box catalog (blue, red, black, green, etc.) lists no Brazilian variants. When the network changed architecture, the tricks changed color, but only some of them ever got documented in foreign zines. Three BR variants belong on the table next to the others:
The BR version of the Beige Box has its own name: badisco. Not a homemade hack. It’s the commercial operator’s phone sold to Telebrás technicians, then Telefônica/Embratel, today Claro/Vivo/Oi. Multitoc MU256T, Intelbras TC 20, Solução: compact units with alligator clips (“crocodile”) instead of the American bed-of-nails. Connects directly to the twisted pair inside the street’s Krone M10 cabinet or the CTA box on the building facade.
Sales were never restricted: Santa Ifigênia and Galeria Pajé in São Paulo, Saara in Rio. For the teenage BR phreaker, R$ 30 on a generic badisco or a repurposed dollar-store headset (with 4 wires, of which only two matter) unlocked the entire analog network of the neighborhood. Under every sidewalk, an unencrypted copper pair. Listening was a question of motivation.
While Americans hid blue boxes in backpacks, Brazil was writing its own chapter of telephony history with 100% domestic technology. In July 1976, engineer Nelson Guilherme Bardini (B.S. Civil Engineering 1962, Electronics 1963 from Mackenzie University) started developing inside TELESP what he called the “Electronic Token”: a PVC card with coils and microfuses that replaced the round metal token used in payphones.
The project won the Telebras research-category award and earned the Landell de Moura Prize. The invention spread worldwide, but only became commercial in Brazil itself in 1992: the first card was issued at the Brazilian Formula 1 Grand Prix in Interlagos, and the official rollout came with Eco-92, in Rio. The motivation was practical: metal tokens suffered constant vandalism, and the cost of collecting them from payphones broke the whole model.
The principle is Faraday’s law of induction (1831): an alternating current in one coil generates a magnetic field; a second nearby coil captures that field and returns a proportional voltage. On the back of the card, several inductive cells, small metal tracks in series with microfuses, were read by the terminal:
The inductive card was robust against the obvious attack (cloning a metal token was trivial), but it had a physical weakness: the circuit was visible on the back. Starting in the late 90s, BBSs and mailing lists circulated a trick that became folklore: running a graphite pencil over the burned tracks reconnected the circuit. Graphite is electrically conductive (resistivity around 10⁻⁵ Ω·m), and a dense enough layer brought the cell back to a state the terminal would read as intact. Variants applied clear nail polish over the area to prevent the next read from blowing fresh fuses, freezing the balance.
The demo on the side is a didactic version: click INSERT CARD and watch the tracks burn one by one as the credit drops to zero. Then, drag the cursor over the card as if you were penciling: the tracks reconnect, the balance returns. Later card generations mitigated the problem with cryptographic cells and opaque back coatings, but for a long time, the graphite trick was the most Brazilian way to phreak.
Low cost, nationwide distribution and visual variety turned the card into a cultural phenomenon. From 1994 onward, commemorative series, F1, World Cup, dinosaurs, cartoon characters, landscapes, became collector’s items. A new hobby emerged, telecartofilia, sister to philately and numismatics, with clubs, catalogs, swap fairs and limited runs commanding small fortunes. Companies, schools and government agencies commissioned their own designs; manufacturing defects became prized rarities. The hobby lasted until around 2010, when prepaid mobile phones retired the payphone and, with it, the card itself.
Between 1985 and 2005, Brazil had its own phreaker scene. Not a colony of the American one: R2/MFC blocked the classic blue box, per-pulse billing imposed a chronotype, and urban infrastructure (payphones on every corner, Krone cabinets open on the sidewalk, twisted pairs exposed) opened vectors that didn’t exist in Manhattan or Berkeley. The international literature skips this chapter. The living sources are fifty years old now and sit in front of the same computer, just with a different job.
São Paulo periphery, 1998. Four payphones on a single corner. One of them, picked for distance to the home of a 12-year-old named Gutem, got a little plastic sign: “out of order”. Behind the sign, a 170-meter twisted pair running pole to backyard, connecting the payphone to an AMD K6-2 400 MHz and a 28.8 kbps modem. The internet wiretap was the cheapest possible infrastructure for pulling research files at 3 kB/s into the small hours.
“I left some stuff written on the back of the paper specifically for the Telesp operator, you know? Listen man, this is the poor kid who tapped the wire just to stay on the internet. Straight up, do whatever you want. There must have been some guys who left it there because it ran for a good while. But that was a few months, you know? Until I worked out a schedule to get on late at night. I’d already done some serious research on where to find material.”
Telesp charged 1 single pulse between 00:00 and 06:00 on weekdays, and from Saturday 14:00 through Monday 06:00. Outside that window, the bill came multiplied by 8. The first afternoon usage bill arrived at R$ 320 (in 1998 the minimum wage was R$ 130). The result: an entire generation of BR phreakers and nerds inverted their routine: research between 23:00 and 01:00, downloads queued in the manager, sleep between 06:00 and 14:00. The BR phreaker chronotype was imposed by the tariff. Not a preference, household accounting.
The scene barely documented itself, and only among locals. Barata Elétrica, started in 1994 by Derneval “Curupira” Cunha, was the first Portuguese-language hacker e-zine. Issue 7 (“Os Maníacos por Telefone”) translated and adapted Bruce Sterling’s Bell System chapters into the Telebrás context. In parallel, on the #phreak channel of the BrasNet network, Phroide, Dialtone, Psylon and Papillon kept the group PhreaKhaos alive. Phroide’s line was the manifesto: “Fuck all americans phreakers”, not as an insult, but as a claim: our phreaking is not a copy. Other zines from the era: Axur 05, Unsekurity Magazine, Pr0j3kt M4yh3m. Surviving mirrors: absoluta.org/barata and sites.google.com/site/barataeletricafanzine. The favorite phreaker software (BlueBEEP, archived at archive.org/details/bbeep-006) generated MF C5 tones from a PC with a sound card, no analog hack needed.
ADSL broadband reached Gutem’s neighborhood in 2006. The migration to prepaid mobile was already underway, and the payphone began to disappear from the landscape. Around 2010, analog BR phreaking had ended for the generation that lived it. Not by repression, by network obsolescence. As he sums it up: “The alternatives were to switch to mobile and I didn’t have the money for that yet.” When he came back to the hacker scene, it was already 2010, already IP, already something else. The badisco became a museum piece before turning back into a R$ 1 store item.
Digital telephony killed analog phreaking, but traded one set of fragile protocols for another. Signaling System #7. The language carriers use to swap commands between themselves: 'give me this number's location', 'this SMS goes to that subscriber'. Designed in 1975 for a closed club of trusted operators, no authentication or encryption. , IP successor to SS7, the 4G/LTE standard. Inherited the same original sins: weak inter-carrier validation, critical messages without strong authentication. , GPRS Tunnelling Protocol. Carries data traffic between mobile network nodes. When exposed to the internet without a firewall, it becomes an open door for roaming attacks. , Signaling Transport: SS7 over IP. Reduces operational cost but widens the attack surface: any server with a rented SCCP address can inject messages. , IP Multimedia Subsystem. A full SIP stack inside the carrier, the foundation of VoLTE. In 2021 researchers demonstrated downgrade and interception attacks on IMS calls. : stacks designed in the 1970s–1990s, when the network was a closed club of trusted carriers. Today, any actor with access to a roaming hub or a Software-Defined Radio. A radio whose modulation lives entirely in software. A US$ 300 HackRF or a US$ 700 USRP transmits in any mobile telephony band; what used to be carrier-grade hardware costs the price of a mid-tier phone. of US$ 500 enters as an authorized peer.
The SS7 protocol (1975) and its IP version, SIGTRAN, are the baseline signaling for 2G/3G worldwide. No authentication, no encryption. Anyone inside the network can query a subscriber’s location, redirect SMS, or intercept calls. In 2019, fraudsters exploited SS7 in the UK to intercept 2FA codes and drain Metro Bank accounts. In Brazil, similar fraud was already documented since 2016. The 2018 ENISA report formally acknowledges the technical debt: 2G/3G rely on SS7 with no “modern security considerations”, and 4G (Diameter) inherited the problem.
In 2013, Doug DePerry and Tom Ritter showed at DEF CON 21 how to modify a Verizon femtocell (US$ 250) plus a Raspberry Pi (US$ 50) to listen to every call and SMS from nearby phones. The whole rig fit in a backpack. Twelve years later, the same technique came back at scale: commercial gear like StingRay (Harris Corp.) and homemade variants with Universal Software Radio Peripheral. High-end SDR (US$ 700–4,000) used in telecom research and sophisticated attacks against mobile networks. + OpenBTS / Osmocom are used by states, gangs and researchers. Phones connect to the strongest signal, and when the strongest signal is hostile, hostile wins.
A telco support agent talked into transferring a victim’s line to an attacker-controlled SIM. Within seconds, every 2FA SMS, bank, email, exchange, goes to the wrong phone. SIM swap doesn’t exploit a protocol: it exploits people. But the metrics climb with SMS-based 2FA. The FBI and Brazil’s ANATEL issued public warnings in the early 2020s.
Voice over LTE ( Voice over LTE. Instead of analog circuit-switched voice, calls become IP packets over the 4G network. Better quality, larger attack surface: signaling becomes SIP. ) brought IMS, a full SIP stack inside the carrier. Researchers demonstrated downgrade and interception attacks on VoLTE calls in 2021. In parallel, Hardware rack with dozens to hundreds of SIM chips running in parallel. Originally used to dodge international tariffs; today it's the infrastructure behind industrialized SMS phishing scams. , racks with hundreds of SIM cards running in parallel, fire tens of thousands of SMS per hour for financial fraud. Same idea as the Blue Box, industrialized (see Section 14).
Misconfigured corporate Private Branch Exchange. The corporate phone switch. When poorly configured, it becomes an open door for toll fraud: the attacker dials premium international numbers using the company's line (and its bill). s keep dialing premium-rate international numbers overnight. Hacked Analog Telephone Adapter. The little box that connects a regular analog phone to a VoIP line. When hacked, it can route calls through the attacker without the owner noticing. adapters, weak SIP credentials, exposed VoIP gateways, each one is a modern blue box, generating five-figure invoices for the victim and dividends for the attacker.
| Axis | Classic phreaking | Modern phreaking |
|---|---|---|
| Medium | Analog in-band signaling, electrical pulses | SS7 / Diameter / GTP, IP infra, software bugs |
| Target | Billing, free long-distance | Personal data, banking 2FA, surveillance |
| Tool | Discrete hardware (whistle, resistor, tone generator) | SDR (USRP, HackRF), modified femtocells, scripts |
| Actor | Independent enthusiast, counterculture hacker | Organized crime, states, corporate espionage |
| Scale | One call at a time | Millions of subscribers via roaming hub |
| Entry cost | US$ 5 (whistle) · US$ 200 (Blue Box) | US$ 500 (HackRF) · US$ 50,000 (StingRay) |
Between 2000 and 2015, what was left of analog phreaking merged with the nascent “digital phreaking” on forums like alt.phone.phreaking, private Telnet lists, abandoned FTPs and researcher blogs. Primary sources from that era are fragile: many archives only survive today on the Internet Archive. Four projects summarize the transition from “audio hacking” to protocol reverse engineering:
Quarterly founded by Eric Corley (Emmanuel Goldstein) in Long Island. Still printing in 2026. The monthly in-person “2600 meeting” in dozens of cities is the longest-running institutional continuity in the scene.
Canonical mirror of classic North American phreaking texts plus good original work on Bell Canada networks. Offline for years; preserved in Internet Archive snapshots used as a primary source by post-2015 academic researchers.
Practical Blue Box reconstruction: Arduino + Asterisk server configured to simulate a 1970s Class 4 toll switch. Lets you generate real MF tones and route them as if an original long-distance call. Rare pedagogy: working classic phreaking, in a weekend lab.
Talks at DEF CON, ToorCon, CCC and HOPE documented the transition on video. Most of the academic literature only arrives after 2015, before that, the data lived in forums that closed, one by one.
AT&T started out hiring boys as telephone operators in 1878. Within a few years it abandoned the practice. The explanation is in Bruce Sterling, in The Hacker Crackdown (1992), quoted by Derneval in issue 7 of Barata Elétrica:
“It was the boys who were hired first as operators. Then it turned out women made less noise, were more discreet, and less tempted to prank-call with the phones.”
The boys did phreaking before the word existed: prank calls, redirects for fun, long conversations with customers. Women were preferred because they didn’t do that. Forty years later, the pendulum reversed: some of the best phreakers in history were exactly the women who knew the network from the inside, because they worked in it or lived alongside someone who did. Popular literature didn’t record them; two who survived in fragments are below.
Los Angeles, late 70s and 80s. Susan Headley did pretexting against Pacific Bell operators before social engineering entered the hacker vocabulary. She called central offices posing as internal staff, requested routes and codes, got them. Garbology: she went through dumpsters behind PacBell buildings looking for discarded technical manuals. ABC’s 20/20 program interviewed Geraldo Rivera about the scene in 1982; Headley appears in the footage. Her DEF CON 3 keynote (1995) coined a line that could be the epigraph of the rest of this article:
“Being a human being is a vulnerability by itself.”
The full profile in The Verge (2022, “Searching for Susy Thunder”, by Claire Evans) is today the best primary source on her. Recommended read.
January 1989. Phrack #24 publishes her Pro-Phile, conducted by Taran King, with an intro that says more about the scene than about the interviewee:
“one of the more rare sights in the world of phreaking and hacking, a female!”
Chanda was the only woman with a Pro-Phile in Phrack until issue 32. She conferenced over loops, knew MF tones, operated on the network with gender-neutral nicks because the safest way to be respected as a phreaker was not to be identified as a woman. Systemic (not aesthetic) pseudonymity erases gender from the historical record. It’s hard to count a community that documented itself under nicks. Rather than “there were few women”, the honest version is: we don’t know how many there were, because the culture didn’t let them identify themselves.
The documentation of women’s participation in phreaking is structurally short because the culture was structurally hostile. Systemic pseudonymity hid gender. Conferences were boys’ clubs. And when a woman did publish, the byline came with an asterisk ((female), a female!, rare sights), signaling that this was notable precisely because it was exceptional. The documentary invisibility is, in itself, the finding.
When governments cut mobile or fixed internet to silence protests, communities improvise. The result is an unlikely catalog: amateur radio, V.92 modems crossing a border, mesh networks, LoRaWAN, satellite. The official network falls; others emerge.
During the protests against Lukashenko, the government cut internet and mobile for 61 hours. Activists and journalists fell back on V.92 modems over international landlines, dialing into foreign ISPs as emergency gateways. 56 kbps is infinitely better than 0 kbps.
Total mobile internet blackout during the protests. DSL landlines and V.92 dial-up were the only route abroad. International NGOs documented the blackout, but local infrastructure couldn’t carry traffic at scale.
On 2023-08-17, Azerbaijani forces cut the fiber cable connecting Artsakh, leaving the region offline. Residual traffic survived over HF and amateur radio, under continuous jamming. Russian peacekeeper cameras tried to restore links via radio.
Separatist zones built their own mobile carriers with hardware seized from Lifecell and Kyivstar: Phoenix (Feniks) in Donetsk; Lugacom (later MCS) in Luhansk. They kept the Ukrainian MCC (255) until 2022, when they began migrating to Russian +7 prefixes.
SNET, the Street Network
Community Wi-Fi mesh with up to 100,000 nodes in Havana. No public internet dependency. It had games, forums, local voice, file repositories. Absorbed by the state in 2019, but it proved an entire city can run its own parallel network.
After the Feb/2021 military coup, the junta shut down mobile internet repeatedly. Resistance leaned on amateur radio, mesh networks with LoRaWAN, and smuggled Starlink terminals (some confiscated by the military).
Brazil entered the era of gang phreaking. Across 2024 and 2025, São Paulo state police dismantled three sophisticated operations using clandestine telecom hardware for large-scale banking fraud. The MO is industrial: knock victims off the legit signal, force them onto a rogue BTS controlled by the gang, blast SMS with phishing links.
A rented car cruised Paulista and Faria Lima 8 to 12 hours a day with transmitters that knocked nearby phones off 4G. When the signal dropped, the rig blasted fake bank SMS. Driver caught red-handed. He was paid R$ 1,000/week just to drive.
▸ PRIMARY SOURCEThe driver of a rented car caught red-handed after patrol. He was circling 8–12 hours a day along Av. Paulista and Av. Faria Lima with transmitters that knocked nearby phones off 4G. When the signal dropped, the rig fired SMS with a fake banking link. He confessed to police he was paid R$ 1,000/week just to drive.
Apartment on the 19th floor of a Morumbi (West Zone) building, with an antenna mounted on the balcony aimed at Marginal Pinheiros highway. The 2G rig jammed 3G/4G/5G in a 2 km radius. A single antenna can fire over 100,000 messages per day. ANATEL and Polícia Civil dismantled the operation after a 6-month investigation.
Another police operation, another antenna car. A 35-year-old firing ~40,000 SMS/hour from inside the vehicle in the East Zone, also targeting Av. Paulista and Pinheiros. Radio transmitters and directional antennas seized. Charged with criminal association and unauthorized access to computing devices.
The common denominator: carrier-grade hardware (femtocells originally sold as residential repeaters), patched firmware, directional antennas, and software derived from OpenBTS / YateBTS. The technical ecosystem researchers demoed in 2013 reached retail crime ten years later.
Phreakers discover that the phone hookswitch replicates the rotary’s pulses. Locks on dials become useless. A young Joybubbles learns to “tap-dial” in Virginia before he learns to read.
AT&T’s “trunk idle” tone fits inside a human whistle. Phreaking is born.
Register-to-register signaling and out-of-band supervision (3825 Hz). Without knowing it, Brazil builds an architectural barrier against the domestic blue box for 35 years.
Ron Rosenbaum’s article introduces Captain Crunch to the world. Wozniak and Jobs read it.
US$ 150 a piece. Seed capital for Apple Computer Company.
AT&T separates signaling from the audio channel. Audible tones stop working.
Named after the magic tone. Still circulating today.
First commercial deployment of this technology anywhere. Brazil exports telephony engineering for the first time, but the graphite trick follows close behind.
First Portuguese-language hacker e-zine. Distributed via BR and foreign BBSes, translates and adapts American phreaker literature to the R2/Telebrás landscape.
Ritter and DePerry: voice and SMS from any nearby phone, in a backpack.
Fraudsters intercept 2FA SMS via roaming-hub vulnerabilities.
Bank accounts drained. Case becomes a regulatory reference.
Internet dies, dial-up via the Netherlands rises. 56 kbps is resistance.
Nagorno-Karabakh goes offline. HF and amateur radio absorb residual traffic.
4G knocked out, phishing SMS, arrest in flagrante in Parque São Lucas.
Balcony antenna, 19th floor, aimed at Marginal Pinheiros. 100,000 SMS/day.
Same technique, same MO, third case in 14 months.
| Tool | Typical use | Cost | Access |
|---|---|---|---|
| USRP / HackRF / bladeRF | General-purpose SDR; homemade IMSI catcher; SS7 sniffer | US$ 300–2,000 | Open store |
| Modified femtocell | Voice/SMS eavesdrop in short range | US$ 100–300 | Commercial gear + firmware patch |
| StingRay (Harris) | Commercial IMSI catcher; mass surveillance | US$ 50,000+ | Restricted to states |
| SIM Box | Interconnect fraud; bulk SMS blasting | US$ 500–2,000 | E-commerce |
| OpenBTS / YateBTS / srsRAN | Software 2G/3G/LTE base station | US$ 100 + SDR | Open source |
| Osmocom suite | Full GSM stack (BSC, MSC, HLR) in software | free | Open source |
| Scapy / Python SS7 | Crafting and analysis of SS7 / Diameter messages | free | Requires SS7 carrier access |
The BR scene built its own jargon. Some of it is literal translation from American; some is pure invention, born in IRC, BBSes and zines. Much of it is lost because the oral vocabulary was never compiled. The glossary below is fragmentary and partial, drawn from the memory of people who lived it.
| Term | Meaning | Origin / context |
|---|---|---|
| Pau / PauFree | Free international call via US Toll Free + Blue Box on a C5 route. | 90s BR · local equivalent of “trunk seized” |
| Dar pau | Successfully seizing an international trunk. Variant: “deu pau no Costa Rica”. | Verb derived from “pau” |
| Tiar | Generate MF tones to signal digits to a remote switch. | Onomatopoeic, from the sound of MF C5 tones |
| Quebra de trunk | Trunk seizure after a 2600 Hz whistle/tone. | Direct translation of “trunk seizure” |
| Telexo | Phone sex intercepted by FM-radio eavesdropping on cordless phones. | BR apocope · amateur interception, 90s |
| Badisco | Operator phone / lineman handset. BR equivalent of the Beige Box. | Commercial · Multitoc, Intelbras, Solução |
| Caiu a ficha | Literally: the payphone token dropped = unit billed. Figuratively: the late realization of something obvious. | BR generalized · escaped the payphone and became national slang |
| Linha cruzada | Strangers’ conversation leaking onto your line. Usually EM interference, not a physical crossover. | Degraded twisted pairs · “ghost wires” |
| Fuçador | Hacker. Derneval’s translation of “hacker” in Estadão, 1994. “Curious one, someone who roots around.” | Barata Elétrica · proposed BR equivalent |
| Rato de laboratório | Beginner phreaker, usually based out of a tech center, technical school or university. | Oral · BR zines |
| IRC contro | In-person meetup of IRC users. More social than technical: “BFF, or the Tinder of its day”. | 90s-2000s · BrasNet, EFnet BR, Undernet BR |
Two audio fragments that date Brazilian analog phreaking like an acoustic fossil. Anyone who lived through it recognizes them in 1 second. Anyone who didn’t can now hear them.
The Brazilian one was continuous 425 Hz; the American (Bell) was 350+440 Hz double. Travelers used to recognize the country by its dial tone before they saw any landscape.
The full analog-modem negotiation fit in 20 seconds. Each tone cluster was a stage of the V.34/V.90 protocol. The audio collects handshakes from several generations (300 baud, V.32, V.34, V.90), the most nostalgic sound of the internet.
In the 1980s, AT&T began migrating to the CCS7 (Common Channel Signaling) system, which separates signaling from the audio channel. From that point on, no audible tone could control the network anymore, analog phreaking was dead.
But its legacy is immense. Wozniak and Jobs sold blue boxes in UC Berkeley dorms before founding Apple. Joybubbles became folklore. The magazine 2600: The Hacker Quarterly, founded in 1984, takes its name from the magical tone. And the ethos, radical curiosity, reverse engineering closed systems, became the DNA of hacker culture.
Five decades on, the cast has changed. The actors are now organized crime, intelligence services, cyber-mercenaries. The targets are personal data, banking authentication, political surveillance. And on the other side of the table, activists and entire communities rebuild infrastructure, mesh, LoRa, dial-up, HF, satellite, to punch through state blockades.
In every context, the lack of native security in legacy protocols (SS7, Diameter, SIP) and the ubiquity of mobile phones drive both the modernization of defenses (signaling firewalls, end-to-end encryption) and the sophistication of offenses. The phreaking cycle didn’t close; it just changed octave.
