Governments in East Africa have adopted Stalinist tactics fuelled by a Western-based surveillance industrial complex, which supplies intrusive malware targeting political adversaries, human rights activists, and journalists.
These invisible, prying eyes have given security agencies unbridled power across these authoritarian states.
A recent investigation has shone the spotlight on a surveillance grid, which has been flying below the radar and is in use across the East African nations, including Uganda, Kenya, Tanzania, and Rwanda. These states continue to commit egregious abuses, including enforced disappearances, incommunicado detentions and extra-judicial killings against their citizens.
The expose emerged after a large data archive, found by a Lighthouse reporter on the deep web, consisted of more than a million tracking operations used to geolocate phones of thousands of people worldwide.
Data obtained by Lighthouse Reports, a Netherlands-based investigations media house, which 14 other global media outlets shared, reveals a pattern by the software, which has been used to target at least 14,000 phone numbers in 168 countries since 2007—including journalists, lawyers, senior corporate executives, military personnel, entrepreneurs, and artists—often in complete violation of the law.
Intrusive spyware
The surveillance secrets project sheds light on First Wap, a surveillance company registered in Indonesia, which has covertly sold its products to authoritarian states and private actors by exploiting gaps in export control regulations.
It is not clear whether some of the Finfisher malware the Ugandan security team purchased in 2012 from Gamma GmbH was originally sold by the Indonesian firm, First Wap to the Germany firm and later resold to the Ugandan government.
Specifically, in June 2012, the Ugandan security team travelled to Europe as guests of Gamma to attend ISS World, the key international surveillance trade show, according to a Gamma Vistor Programme. At Gamma’s Munich headquarters, they learned more about the surveillance products from Gamma partner companies from around the world — Trovicor, Utimaco, Polaris, Cobham, among others. There is a likelihood that it was during this trip when they interacted with the First Wap spyware, which was Gamma’s partner company and they were able to conduct a trial test of the product.
Coincidentally, the Ugandan security team stayed at the Clarion Congress Hotel in Prague. On June 4th, 2025, the hotel hosted Europe’s major secretive trade fair for advanced surveillance technology companies including the Indonesian firm, which manufactured First Wap.
Perhaps this is how the phone records of the Ugandan security officials involved in the purchase of the Germany spyware were obtained on the deep web, which was discovered by the Lighthouse journalist. The purpose of the intrusive malware from Gamma bears the same parallels with First Wap, which is capable of geolocating and infecting devices, including phones and laptops.
The data found on the web contains a blend of demonstration tracking attempts on consenting people; nonconsensual demonstration tracking attempts; technical testing on company phones, burners or on fake or random numbers; and operational tracking attempts carried out by various users.
Vox Populi has threaded a report, which offers a snapshot of the inner workings of a Ugandan security team that travelled to the German city of Munich and the capital of the Czech Republic, Prague, to procure an intrusive spyware to run an elaborate covert operation, which, among others, was deployed to nip in the bud the walk-to-work protests, which were launched four months after the 2011 presidential election by the opposition doyen, Kizza Besigye. The identities of the Ugandan security team were first revealed by a UK-based non-profit organisation, Privacy International.
Victims of the spyware
The Ugandan team included Nelson Gilbert Rwantale, Brig. Michael Bbosa, the former ICT Director of the Ugandan army, Brig. Charles Oluka, who was at the time of the purchase was a Colonel and later appointed as a spy-Tsar heading the Internal Security Organisation (ISO), and Amos Ngabirano, the former police ICT director. Of the four men, only two are alive after Bbosa and Oluka died in 2021 and 2025, respectively.
Ngabirano, formerly a civilian who was recruited into the force as an IT expert and quickly ascended the ranks to become an assistant Inspector General of Police, was a protégé of the former Inspector General of Police, Gen Kale Kayihura. He fled the country to the United Kingdom in 2018 at the peak of investigations targeting his boss. Shortly after he was fired in 2018, Kayihura was accused of involvement in the assassination of the former Assistant Inspector General of Police, Andrew Felix Kaweesi, and for carrying out acts of espionage on behalf of the neighbouring state, Rwanda. Kayihura was later freed by the General Court Martial (GCM) in August 2023.
Some of the other Ugandan-based phone numbers found on the deep web included those belonging to Mazen Mroué, the Chief Executive Officer of MTN Group Digital Infrastructure, who previously served as the MTN Uganda CEO in 2012 and later relocated to MTN Irancell in 2014. The other cellphone number discovered on the deep web belongs to Barak Orland, an Israeli businessman living in Uganda for over a decade who runs the flight company, Bar Aviation, and has been involved in the sale of military equipment.
According to Haaretz, an Israeli newspaper, in May 2012, Barak became a surveillance target after ‘an unknown actor used what was then cutting-edge technology to pinpoint his phone as he walked across Istanbul’s Atatürk Bridge.’
Fungua Macho
Upon returning from abroad, the Ugandan security team rolled out the covert surveillance project codenamed Operation ‘Fungua Macho,’ meaning ‘open your eyes’ on 12 January 2012 to counter the walk-to-work protests shortly after the 18 February 2011 presidential election.
The walk-to-work protests towards the soaring prices of basic commodities and transport, created a groundswell of resentment among citizens. Aided by a recently acquired intrusive spyware, security agencies were able to infiltrate the opposition protests, which they feared could morph into the Arab spring protests if they were not controlled.
By the end of April 20121, security agents had shot dead about nine people, and about 600 opposition supporters were detained in cells and prison.
According to a briefing memo dated 20 January 2012, authored by the Chieftaincy of Military Intelligence (CMI) boss Brig. Charles Bakahumura placed the Director of Technical Intelligence, Col. M Bbosa, at the apex of the surveillance operation. The memo informed the President that the Chief of Defence Forces, then late Gen Aronda Nyakairima, and then Inspector General of Police, Gen Kale Kayihura, had received ‘hordes of data’ regarding national interest threats.
The memo, which was copied to President Museveni, revealed that the major plank of the spyware was to target opposition politicians, moles within government, and journalists.
The spyware did not mention that it could be used to prevent crime or to prevent terrorist attacks. At the time of its purchase, it coincided with a sharp rise in homicides, which, according to the annual crime report, were at a staggering 17.8 per cent compared to the previous year.
After Uganda’s security officials returned from abroad, a team of experts from Gamma International, including the General Manager, Stephan Oelkers, and Alexander Hegenah, a senior security specialist, visited the country to train security personnel on the use of the spyware intrusion system. The cellphones of Oelkers and Hegenah were also found on the deep web.
Success rate
According to the memo from Bbosa, the spyware consisted of ‘hardware and software packages that were to be used by law enforcement agencies for covert information collection, which information can then be used in the process of enforcing law and order. It can covertly be deployed in buildings, vehicles, computers, mobile phones, cameras, and any other equipment for information extraction or surveillance.
The memo read further, “The only limitation for our case is that it is hard to use on highly encrypted networks, especially institutions or individuals that use Virtue Private Networks (VPNs). However, the good news is that very few Ugandans are techware [sic] of the advantages of VPNs, and so given the calibre of our negative-minded politicians, we stand a very high chance of being a step ahead.”
Some of the objectives of the intrusion malware were to ‘crack down on government officials and personnel who leak information to the opposition, to covertly collect information from the opposition entities, to manage and control media houses and opposition politicians, which in the worst-case scenario may involve blackmailing them especially after personal information is in our hands.’
Bbosa is quoted in the memo speaking about the success rate of the intrusive spyware. “This can be testified by the success rate we have had, especially in curtailing the walk to work demos that started this week. Without implants and embeds, we have been able to get hordes of information revealing secret plans, especially of FDC, even before they act upon them.”
The security personnel argued that the spyware from the German firm had previously been used to successfully crush dissent in authoritarian governments like Rwanda, Zimbabwe, and Syria.
Lighthouse reports revealed that in 2012, the wife of General Faustin Kayumba Nyamwasa and the bodyguard of Patrick Karegeya, two founders of the Rwanda National Congress—an opposition movement operating in exile in South Africa—were tracked within minutes of one another.
Karegeya, who worked as a former spy-chief in Kagame’s RPF government, was found strangled in a Johannesburg hotel room 18 months after his bodyguard was targeted by Altamides on 1 January 2014. On 19 June 2010, Nyamwasa was shot by assassins in the stomach and survived another two assassination attempts.
Installation
The mainframe of the surveillance system was installed at the Uganda Police Command Centre on Parliamentary Avenue in Kampala, under the supervision of Lt David Nkiriho. The intrusive malware was deployed across hotels in Kampala largely to target foreign journalists, government institutions, including spy agencies like the Chieftaincy of Military Intelligence, Internal Security Organisation, and External Security Organisation and Parliament.
The brief reads that fake access points were planted in residential areas like Munyonyo, Kensington Housing estate, Lubowa estate, and Kololo to target those who live in those areas. It also targeted those deemed dangerous to state security, including government officials and opposition politicians who are being surveilled, and when opportunity strikes, their machines and gadgets are to be infected by FinFly Trojan horses for remote surveillance.
First Wap was founded in 1999 in Indonesia by an Austrian national, Josef Fuchs, who died in 2024, and a Frenchman, Pascal Lalanne, both longtime residents of the country. The company initially developed an SMS-based messaging service that enjoyed early success before collapsing with the dot-com crash. In 2004, the French co-founder left the company, selling his shares, and First Wap had to reinvent itself. Leveraging its partnerships with numerous telecom operators, it pivoted to phone surveillance. Fuchs, a former executive at Siemens and Telkomse—one of Indonesia’s largest telecom operators—became the main architect of this shift, alongside another Telkomsel executive, German national Jonny Goebel.
Intercepting SMSes
Their tracking solution, initially called FastTrax and later Altamides, emerged in the mid-2000s. It enables locating mobile phones and, later, intercepting calls and SMS messages. It works by exploiting core telecommunication signalling: to route communications, operators need to know which cell tower each phone is connected to (usually the closest one). Knowing the cell tower means knowing the phone’s location.
First Wap, taking advantage of the telecom industry’s widespread laxity in security, queried operators silently to geolocate any device in the world. The firm also offers SMS interception, which can be used to take control of a WhatsApp account by capturing the code sent to transfer the account from one phone to another.
The Altamides, First Wap’s flagship tool: a platform capable of geolocating any phone in real time and even taking control of a WhatsApp account.
The Surveillance Secrets project, led by Lighthouse Reports in collaboration with 14 media outlets, including Le Monde, sheds light on this small-to-medium-sized company that has been marketing surveillance tools worldwide for two decades. Targeting data obtained by Lighthouse Reports shows that First Wap’s software has been used to target at least 14,000 phone numbers in 168 countries since 2007—including journalists, lawyers, senior corporate executives, military personnel, entrepreneurs, and artists—often in complete violation of the law.
After Fuchs and Lalanne founded First Wap in 1999 in Indonesia, the company hit heady heights before collapsing with the dot-com crash. In 2004, Lalanne, the French co-founder left the company, selling his shares, and First Wap had to reinvent itself. Leveraging its partnerships with numerous telecom operators, it pivoted to phone surveillance. Fuchs, a former executive at Siemens and Telkomse—one of Indonesia’s largest telecom operators—became the main architect of this shift, alongside another Telkomsel executive, German national Jonny Goebel.
Global in scope
According to Lighthouse reports, this is not the first archive related to a surveillance company’s activities, but it is certainly the most granular. It contains 1.5 million records, more than 14,000 unique phone numbers, and people surveilled in over 160 countries. It represents an extraordinarily detailed account of when and where people were tracked, and what users of the tracking tool saw.
The only clue to a target’s identity was a phone number. A team of reporters at Lighthouse and Paper Trail Media spent months painstakingly identifying the owners of those phone numbers.
To drill down into the data and better understand it, we divided it into “clusters” of targets—networks of people connected in time or space. As Lighthouse reports investigated clusters and put names to phone numbers, stories began to emerge.
The Altamides archive is global in scope. Lighthouse reports discovered high-profile individuals, including powerful political figures such as the former Prime Minister of Qatar and the wife of the ousted Syrian dictator Bashar al-Assad. We found Netflix producer Adam Ciralsky, Blackwater founder Erik Prince, Nobel Peace Prize nominee Benny Wenda, Austropop star Wolfgang Ambros, Tel Aviv district prosecutor Liat Ben Ari and Ali Nur Yasin, a senior editor at our Indonesian partner Tempo.
In Italy, investigative journalist Gianluigi Nuzzi was tracked days after publishing a dramatic exposé of corruption in the Vatican, as police closed in on his source. In California, Anne Wojcicki, founder of DNA startup 23andMe and then married to Google’s Sergey Brin, was tracked more than a thousand times as she moved across Silicon Valley.
First Wap said in a response to this investigation that it denies “any illegal activities” or “human rights violations.” The company said it could not comment on specific allegations that could “enable client identification.” It further elaborated that the company does not perform any tracking itself and that “after installation” of Altamides, it has no further knowledge of how the product is used. First Wap emphasised that its technology is used by law enforcement to “fight against organized crime, terrorism and corruption.”