Bulgarian citizen Orlin Roussev, recently arrested in the UK for espionage, has been confirmed as the owner of a signal interception company that provided surveillance equipment to former Wirecard top manager Jan Marsalek, who fled to Russia after an embezzlement scandal surrounding the payment system and was later revealed as an informant for Russian and Austrian intelligence services.
According to a report by the independent investigative outlet Dossier Center, Roussev provided Marsalek with equipment capable of calculating the location and connections of telephone subscribers. The scheme involved a Russian citizen.
The Dossier Center studied the correspondence of Roussev and Marsalek, revealing that they had been in communication since 2015. Roussev notably forwarded a message to Marsalek from a representative of Uphonemobile, a Chinese company that manufactures waterproof phones and body-worn cameras. Roussev mentioned that the company offered top-notch personalized solutions, and he had already placed an order for an exceptionally durable phone with “exotic features.”
According to Dossier, Roussev soon also gave Marsalek an “exotic device” — a Samsung push-button phone with custom-made anti-surveillance firmware. The correspondence showed that Roussev also gave Marsalek the opportunity to use the SS7 telecommunication protocol.
The operator support (the transfer of Marsalek's number from a German cellular operator to T-Mobile CZ) for this device was handled by Russian Anton Grishaev, a resident of the Czech Republic. British investigators could have had Grishaev in mind when they claimed that Roussev had “business experience” in Russia, Dossier suggests.
Marsalek utilized SS7 to send text messages to specific subscribers and gather information about their whereabouts. He also employed specialized software to access call details, IP addresses linked to other SIM cards, and identification numbers (IMEI and IMSI) to gain full control over their devices. By switching networks, Marsalek could elude the scrutiny of German authorities.
According to Grishaev's LinkedIn page, he was listed as the European Operations Director at AMEuroTel from 2007 to 2014. AMEuroTel, established in 2005 and based in Cyprus, offers global telecommunications services, including voice and data connections.
The next company associated with Grishaev is CloudTelecom — a firm offering telecommunications services and specializing in high-frequency trading solutions. Grishaev's company websites are currently inactive. Archived pages reveal that in 2013, the main company was listed as ElComTel, based in Moscow, Russia. Other branches were located in the Czech Republic, Germany, and the UK. The Cloud Ltd. office in the UK was notably located in Suffolk, close to Roussev's place of residence, as reported by the BBC.
By 2015, the Czech representative office was no longer listed on the website, and the British company was replaced by a Latvian registered firm. By 2017, only the Riga office remained, and information about ElComTel was no longer present on the website.
ElComTel then changed its address and name to Klyuchevoy Kadr. While Anton Grishaev is not listed as one of the founders, his sister Olga Sergeevna Grishaeva is included in the list of participants in the firm. The Grishaev family hails from Seversk, a restricted town in Russia's Tomsk Region, known for hosting a facility engaged in the production of enriched uranium and plutonium.
Little information about Anton Grishaev is available in openly accessible Russian-language sources. After examining various databases, the Dossier Center concluded that he has been living outside of Russia for a long period of time.
Signaling System 7 (SS7) is an international telecommunication protocol standard for exchanging data between telephone operators. It has a notable weakness: attackers can enter the system by setting up their own personal operator anywhere globally or through links with a mobile service provider. By sending text messages to users, they can find out at least where the user is and who they are connected with. In more severe cases, they can even get into the device's files. This security flaw was taken advantage of in cases similar to the utilization of the Israeli spyware known as Pegasus.