Key Findings

• Webloc, an ad-based geolocation surveillance system, tracks up to 500 million mobile devices globally without warrant requirements

• Law enforcement agencies in the U.S., Hungary, and El Salvador have deployed the tool, including ICE, DHS, and local police departments across multiple cities

• The system accesses device identifiers, location coordinates, and personal data harvested from mobile apps and digital advertising networks

• Israeli company Cobwebs Technologies developed Webloc and merged with Penlink in July 2023, which now sells the product

• Cobwebs was previously deplatformed by Meta in 2021 for operating fake accounts to conduct reconnaissance and social engineering

• 219 active servers associated with Webloc deployments identified worldwide, with majority in the U.S., Netherlands, and Singapore

Background

Webloc emerged as a commercial product in October 2020, marketed by Cobwebs Technologies as a location intelligence platform that fuses web data with geospatial information. The tool is sold as an add-on to Tangles, another law enforcement software suite focused on social media and web intelligence. When Penlink acquired Cobwebs Technologies in mid-2023, it inherited this surveillance capability along with an established customer base spanning military, intelligence, and police agencies.

How the Surveillance System Operates

Webloc functions by purchasing data streams from mobile applications and digital advertising networks. The system collects and maintains records on hundreds of millions of devices, storing device identifiers, precise location coordinates, and behavioral profiles harvested from app ecosystems. Users can retroactively analyze location data spanning up to three years in the past, allowing agencies to reconstruct movement patterns of entire populations. The tool can also infer locations from IP addresses and cross-reference this information with home addresses and workplace data to identify individuals behind specific devices.

Widespread U.S. Law Enforcement Adoption

U.S. government customers include Immigration and Customs Enforcement, the military, the Department of Homeland Security, and the Texas Department of Public Safety. Beyond federal agencies, the system has been deployed by district attorneys in New York City and police departments in major cities including Los Angeles, Dallas, Baltimore, and Tucson. Smaller jurisdictions in places like Elk Grove, California and Pinal County, Arizona have also procured access, indicating penetration down to local law enforcement levels.

International Deployment and Oversight Concerns

Citizen Lab researchers documented use of Webloc by Hungarian domestic intelligence and El Salvador's national police. The concerning aspect extends beyond geographic reach to the lack of legal safeguards. Unlike warrant-based surveillance, Webloc operates through commercial data channels, creating a legal gray area that allows continuous monitoring of advertising IDs and connected devices. Procurement documents highlight the system's capacity to automate continuous surveillance without traditional judicial oversight mechanisms.

Cobwebs Technologies' Problematic History

The company behind Webloc faced significant credibility issues before the Penlink acquisition. Meta deplatformed Cobwebs in December 2021 alongside six other cyber mercenaries for operating approximately 200 fraudulent accounts. These accounts targeted activists, opposition politicians, and government officials, particularly in Hong Kong and Mexico, while conducting social engineering to infiltrate closed communities and extract personal information. The deplatforming revealed that Cobwebs had customers across Bangladesh, Hong Kong, the U.S., New Zealand, Mexico, Saudi Arabia, and Poland.

Connections to Israeli Spyware Industry

Analysis of corporate records revealed ties between Cobwebs and Quadream, an Israeli spyware vendor, through Omri Timianker. Timianker founded Cobwebs Technologies and served as its president before moving to oversee Penlink's international operations following the merger. Cobwebs Technologies itself appears to have ceased independent operations in 2023, with its functions absorbed into Penlink's corporate structure.

Global Server Infrastructure

Researchers identified 219 active servers associated with Webloc deployments worldwide. The infrastructure concentrates heavily in the U.S. with 126 servers, followed by the Netherlands with 32 servers. Singapore hosts 17 servers while Germany and Hong Kong each maintain 8. The United Kingdom operates 7 servers. Additional deployment infrastructure spans across Africa, Asia, and Europe, indicating a truly global surveillance capability operated through distributed systems.

Company Response and Privacy Claims

Penlink responded to the Citizen Lab report by disputing the findings, claiming they rely on inaccurate information or misunderstandings about operational practices. The company stated that Penlink does not engage in the practices attributed to Cobwebs prior to the acquisition. Penlink emphasized compliance with U.S. state privacy laws, though this claim does not address the core concern of warrant-free tracking capability inherent to the Webloc system.

Broader Implications for Digital Privacy

Citizen Lab's research highlights a significant gap in surveillance regulation. The use of commercially-purchased advertising data by law enforcement agencies operates in a legal twilight zone where warrant requirements often do not apply. This allows military, intelligence, and police units from international to local levels to conduct intrusive tracking without adequate judicial oversight or transparency mechanisms currently embedded in traditional surveillance frameworks.

Sources

• https://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html

• https://www.cypro.se/2026/04/11/citizen-lab-law-enforcement-used-webloc-to-track-500-million-devices-via-ad-data/