Ahmad Ashour (ARIJ) – Hala Nouhad Nasreddine (DARAJ)
16 December 2025
This investigation is part of the “Damascus Files” project, which is based on 134,000 documents from the Syrian intelligence services, obtained by German broadcaster NDR and shared with the International Consortium of Investigative Journalists (ICIJ) and several other media organizations.
This investigation shows how the communications department of Syrian military intelligence managed to obtain data of customers of the telecoms companies Syriatel and MTN Syria during President Bashar al Assad’s regime. This not only breached the privacy of the customers, but enabled the former regime to keep tabs on its political opponents.
It was August 2024 and a group of men were standing in Karama Square in Suwayda holding up placards with slogans against the former Syrian regime. On a wall behind them was scrawled the phrase: “Down with Bashar al-Assad… Free Dhibin.’
At the time, this group was unaware that it had been under surveillance for about a month and that a file on the communications made by several of its members entitled “Incitement and the provoking of disorder in the province of Suwayda” was sent to the director of Syria’s General Intelligence Service (GIS) by its technical section, Branch 208.
The same month, this branch helped other security branches to track 15 targets, eight of whom were arrested. It located them using an “Al-Rashida 4G” (a vehicle equipped to carry out eavesdropping).
3
requested by the State Security Branch in Aleppo 322
3
requested by the State Security Branch in Latakia 325
3
requested by the State Security Branch in Tartus 345
2
requested by the Counter-Espionage Branch 300
2
requested by the Investigation Branch 285
1
requested by the State Security Branch in Homs 318
1
requested by the External Branch of State Security 279
3
arrested by the State Security Branch in Aleppo 322
2
arrested by the Counter-Espionage Branch 300
1
arrested by the Tartus State Security Branch 345
2
arrested by the External Branch of State Security 279
2
arrested by the State Security Branch in Homs 318
During 2023, the GIS tracked at least 233 mobile numbers, only 30 of which were referred to the security services. Files were opened on some of these cases, while the rest were dismissed due to “insufficient evidence” related to the individuals involved.
The existence of hundreds of documents detailing calls made and received by individuals the former Syrian regime’s intelligence services deemed “worth monitoring” raised a critical question: How did such detailed information end up in the hands of the regime’s security apparatus? This was especially troubling given that most of these individuals were ultimately found not to be suspected of any wrongdoing.
This investigation reveals that the communications department – Branch 225 – of the Syrian military intelligence obtained the contact details of customers of the Syrian telecoms companies Syriatel and MTN Syria, and forwarded them to the GIS. This violated the companies’ obligation to protect their customers’ personal data, as required under Article 50 of the Telecommunications Law.
Our investigation shows that Syriatel’s technical department used to upload all of its customers’ data to the DATADB database of communications of military intelligence with no judicial authorization. Despite changes to the company’s board of directors and executive leadership in 2020, it appears to have continued these practices until the regime fell in December 2024. The same executive management team continues to run Syriatel under the current transitional government.
In the summer of 2023, tensions peaked in Suwayda, (a province with majority Druze population). Protests against the Assad regime escalated in Karama Square in the village of Dhibin, south of Suwayda, after the “Ahrar Jabal al-Arab Gathering” group – which was created on Facebook in May 2022 – called on the people of Suwayda to demonstrate for “freedom and dignity.”
After about eight months of protests, this Facebook group accused the regime of “sending Iranian Quds Force militias to the vicinity of Suwayda and reinforcing its military units and security branches.” It insisted that the protests were peaceful, despite what it described as an “escalation”by the regime.
After a year of protests,, the security forces set up a checkpoint at the entrance to the city. This provoked the organizers of the movement. They posted a statement emphasising the peaceful nature of the protests, complaining about the checkpoint, and indicating that “the free people of Jabal al-Arab” (Another reference to Druze sect) were prepared “to confront any aggression.” But, before the situation got out of hand, the group announced in August 2024 a temporary halt to the protests.
While security forces surrounded the Suwayda movement on the ground by setting up barriers around the city, Branch 280 of the GIS used its agents to monitor posts on the “Ahrar Jabal al-Arab Gathering” Facebook page, and to gather information on Suwayda activists.
On July 8, 2024, the head of Branch 280 was reviewing information about Suwayda activist Rabah Ghabra, who was active on Facebook. He then issued a decision (Document No. 11903) ordering an examination of the calls made from and received by the activist’s phone number.
On July 30, 2024, Branch 280 wrote to Branch 300 (in document No. 11404) asking for a log of calls made by the owner of a Syriatel mobile phone SIM card, along with audio recordings of calls made between April 22 and May 1 of the same year.
Ghabra’s call log showed his geographical location. It also showed that he was in touch with other activists in Suwayda. As a result, a request (No. 11992) was sent on August 8 for audio recordings from the numbers Ghabra had been in contact with.
The investigation quickly widened, as the intelligence asked for a list of calls made and received from another number, which later turned out to belong to activist Fouad Adel Bou Hamdan, who had been with Ghabra in the demonstrations.
It was not only the GIS that was involved. Branch 300 wrote on September 6, 2024, (letter No. 6503) to the communications department of the Ministry of Defence, requesting text messages, data, and the numbers of calls to and from Bou Hamdan.
Three days later, the department forwarded the available text messages and numbers of calls made and received from this number to Branch 300. This gave the GIS a clear idea about the coordination of the demonstrations led by Ghabra and Bou Hamdan.
The GIS, subsequently, presented its findings to the State Security Branch 312 in Suwayda “for information and necessary action.”
“How did you get this information?” Ghabra asked in surprise when the investigation team told him what was in the intelligence files. Though having no hard evidence, he thought he was under surveillance because of his political activity, and that this had led to several security agencies issuing arrest warrants against him in 2015.
Ghabra had been at the forefront of silent demonstrations in Karama Square against the country’s deteriorating economic conditions since the end of 2021. These protests reached their peak in August 2023.
The Karama Square demonstrations took place daily, but the number of participants declined over time, eventually dropping to 15. We found that details of all their calls, and the time and location they were made, had been entered in GIS files.
Suwaida activists in Karama Square
“People stopped going to the protests because they were threatened by political security, especially public-sector employees,” Ghabra recalled. He looked back on nearly four years of sporadic demonstrations in Suwayda, in which he himself took part. During that time, he received repeated threats from both intelligence and security agencies, all aimed at pressuring him to abandon the “Suwayda movement.”.
Ahmed Abazid, coordinator of the Syrian Memory Institution, who studied the administrative and organizational structure of the various Syrian security branches, found recordings of activists in military intelligence documents before the revolution. “Surveillance after the revolution became more intense and more widespread,” he said, claiming that activists were arrested as a result of their communications being monitored.
Abazid added that access to communications data and caller information was available to several security agencies, and no single branch had a monopoly on this information. General intelligence, military intelligence, air force intelligence, and the Political Security Directorate were in coordination to obtain information about their targets.
The leaked files showed us the method the General Intelligence Service (GIS) used to access communications data of those it targets. First, Branch 280 – one of the internal branches of the GIS – would be asked for various types of data related to mobile phone numbers. This branch would then contact Branch 225 of military intelligence, responsible for managing communications, to obtain information about the owners of the mobile phone SIM cards and their communications data.
The GIS trained its own staff on the basics of communications management, with the aim of enhancing the counter-espionage capabilities of Branch 280. This included processing technical reports on a target’s incoming and outgoing calls and text messages, as well as handling reports on international communications and identifying the owners of the numbers involved. They were also trained in handling technical reports on mobile communications, such as the target’s movements, locations, coverage, and IMEI and IMSI serial numbers.
General intelligence tracked the activities of at least 233 mobile numbers during 2023. In 86 percent of these cases, the matter was “closed due to lack of firm evidence,” while 12 cases remained “under review.”
The intelligence agencies doubled their efforts with regard to the remaining 30 cases and succeeded in arresting seven during the last quarter of 2023, using what are known as Al-Rashida vehicles.
These are cars equipped with listening devices which intelligence agents drive around the streets of Syria monitoring landlines and mobile calls to locate and arrest the owner of a targeted number.
To this end, general intelligence trained ten of its officers in 2023 to improve their ability to use Al-Rashida cars to track suspects, under the supervision of what they dubbed“our Chinese friends.”
201
cases closed due to lack of evidence
12
targets under investigation
7
targets referred to the Investigation Branch 285
6
targets referred to the Espionage Branch 300
5
targets on which memoranda were filed
1
Target referred to the State Security Branch in Latakia 325
1
Target referred to the State Security Branch in Daraa 315
There is systematic coordination linking the various intelligence branches, but there is a link missing at the heart of the operation; how it is that the communications department of military intelligence obtained this data, which is supposed to be confidential, according to Article 50 of the Syrian Telecommunications Law of 2010. That is the question that drove us to uncover this missing link.
On December 3, 2023, Branch 300 wrote to the communications department (letter No.9/300/7720) asking for information about mobile numbers registered to a particular person’s national ID number. Two days later, the department wrote back (letter No. 4/225/119242) telling the branch that there were no SIM card numbers registered to that ID number.
What drew our attention was that the communications department’s information was based on “data available from both companies.” We found this sentence in six other documents containing information provided by the communications department on owners of mobile phones or on SIM cards registered to national ID numbers.
Documents mentioning that communications department depended on two Syria Telecom Companies to obtain the calls data of the citizens
Two companies provide mobile phone services in Syria; one is Syriatel Mobile Telecom, set up in 2000. The other is MTN Syria, a brand which launched on the Syrian telecoms market in 2007.
Both companies state on their websites that they are committed to “protecting your personal data using industry-standard security measures.”
When the importing of SIM cards from a company suspected of having dealings with the Iranian defence ministry became public in 2021, MTN Syria denied using this company’s SIM cards and insisted that it tested its SIM cards to prevent hacking.
Although Syriatel admitted buying chips from this company, it said at the same time that it was committed to having “multiple levels of protection to ensure customer privacy and security.”
Despite this, an investigation in 2020 by Branch 251 of general intelligence into the director of one of Syriatel’s technical departments proves that this private telecom company had handed its customers’ data to the communications department of military intelligence.
When asked about the relationship between Syriatel and Communications Branch 225 of military intelligence, the director said: “The IT department provides this branch with the following: all files issued by the various Syriatel systems, which are managed through the withdrawal and distribution system within data governance.”
He added that the department he heads provides the communications branch of military intelligence with “information about subscribers and all their communications by uploading files containing this information to a database specific to the communications branch, called DATADB. There is also a backup server in Tartus Governorate that holds a second copy of this database, given its importance to this branch.”
Investigation with Syriatel IT department manager mentioning the cooperation between the company and the Intelligence Service
This practice does not appear to be anything new. When protests broke out in 2011, Syriatel was asked to track the locations of certain mobile phone numbers. These reached a total of 9,147 in December 2011, according to former employees of the company.
A list of these numbers was leaked by a number of employees. When we obtained one of the leaked files, we found similarities with documents from 2024. One was the presence of a note saying that some of the numbers were entered “at the request of… Branch 225”. About 134 numbers were tracked using the IMEI of the mobile device – which, as stated in the 2024 intelligence files, means the serial numbers of the devices. Written next to these numbers was “Black list-Branch 225.”
Branch 225 is the number of the communications department of the Military Intelligence Directorate. Syriatel provides it with all subscriber information and communications, according to a former technical director with the company.
Dr. Nidal Zarifeh, who worked at Syriatel until 2009, said that the communications department of military intelligence kept hold of all Syriatel customer information even before 2011. After the outbreak of the revolution, they looked even more closely at this information, and it was used to achieve military advantage.
General intelligence asked its communications department and other branches to find out the coverage of certain mobile numbers. It also found details of the geographical location of callers from call logs.
Zarifeh, who has a PhD in electrical engineering from the University of Duisburg-Essen in Germany, saidthat the caller’s location is automatically recorded in Syriatel records, so security agencies do not need advanced technology to find out the geographical location of their targets.
Using the same approach, security agencies used records of calls to access the geographical location of individuals suspected of “being active with the Syrian Democratic Forces (SDF) in the eastern regions.”
Reading through the monitoring documents on these activists led us to the same agencies. Branch 280 of the general intelligence contacted Branch 300 (letter No. 13287) on August 28, 2024 requesting information on 26 phone numbers and identifying the last location of the holders of these numbers.
About a week later, Branch 300 forwarded the request to the communications department of military intelligence, which responded with detailed information on the owners of these numbers, some of which were with Syriatel and others with MTN.
It was surprising to find Abdul Eid al-Askar’s MTN Syria number on this list, which intelligence described as containing the names of people “active in the Kurdish militias (SDF).” Al-Askar, a 50-year-old from the town of Muhaymida west of Deir ez-Zor, had been detained by the SDF for more than a month in early 2020.
Al-Askar was not politically active. He worked in the trade of tiles, ceramics, and marble, but became entangled in a commercial dispute. In 2019, after the Syrian government committed to rebuilding the Armenian Martyrs Church, destroyed by Islamic State fighters in 2014,, the church entrusted him with helping in the restoration. He said he received an official commission for the work, approved by the presidential palace.
Everything went normally at first. Before the work began, Al-Askar was summoned to the office of one of the security agencies where he was given the green light to start work. However, his business dealings were disrupted when someone close to the Fourth Division asked him to terminate the contract, as he hoped to take over the restoration work himself. Al-Askar told the man he would have to put in a request to the church to terminate the contract.
After that, Al-Askar was summoned to the military security branch in Deir ez-Zor, where he was given a clear order by one of the officers: “The branch chief’s instructions require that you have no dealings at all with the church. If you go against this order you’ll be thrown in jail.”
Al-Askar believed that a report containing allegations against him, and accusing him of “cooperating with the SDF and the Kurds,” had put him on the security radar. He had repeatedly received indirect instructions not to communicate with “people opposed to the regime or wanted by the security services.”
At that point, Askar cut off contact with his son-in-law and his nephew, who lives in Beirut, because he was wanted for military service. He was terrified of receiving a call from anyone wanted by the security services, convinced that one call could land him in “Saydnaya Prison.”.
What Al-Askar and Ghabra share is not only that they were both targeted by the security services, with their call records and locations tracked in two different regions. It is also that they placed their trust in two telecom companies that presented themselves as private, profit-driven businesses built on customer calls and subscriptions.
Under the stifling sanctions imposed on Syria after 2011, some of which affected the telecoms sector, the two companies continued to generate revenue from customers. This amounted to $282.17 million for Syriatel in 2024, and about $120 million for MTN.
According to the two companies’ financial reports, this revenue stream was the economic backbone for both of them and required that they be loyal to their customers. But a closer look at the ownership and management of the two companies reveals connections that help explain how the communications data of a merchant from Deir ez-Zor and an activist from Suwayda, among others, ended up in the hands of the Syrian intelligence services.
In 2000, Syriatel was launched as Syria’s first mobile phone company. Since its inception, it has sparked controversy due to its links to the Assad family. Bashar al-Assad’s cousin, businessman Rami Makhlouf, owns a majority stake in the company.
Makhlouf was sanctioned by the US Treasury Department in 2008 over suspicions that he was “building his business empire by exploiting his connections with members of the Syrian regime, manipulating the Syrian judicial system, and using Syrian intelligence officials to intimidate his business rivals.”
After the protests broke out in Syria in early 2011, the US Treasury Department put Syriatel on its sanctions list over its links to Makhlouf. The company was also subject to European and British sanctions for the same reason.
A series of reports indicated that private mobile phone companies were cooperating with military intelligence to suppress the growing protests. In 2012, Bloomberg reported that Branch 225 had ordered Syriatel and MTN Syria to block text messages with keywords such as “revolution” or “demonstration.”
Digital rights expert Dima Samaro said that monitoring of mobile communications began a few years prior to the revolution. That was when European and Chinese companies provided Syriatel and MTN Syria with technical systems that enabled the security agencies to track communications. After the revolution broke out, surveillance operations intensified.
Samaro, who contributed to a 2021 report by Access Now on digital surveillance in Syria, says that Syrian telecoms companies allowed the authorities access to user data, which allowed them to find where activists were located. She said that the security services were able to access company systems directly, without any judicial authorisation, in what was described at the time as “an alliance between the regime and telecommunications companies to oppress citizens.”
By 2020, the mobile sector in Syria had been restructured. The government tightened its hold over it by placing Syriatel – represented by the Syrian Telecommunications Establishment Company – under judicial receivership through its chairman, Mohamed Mazen al-Mahairi.
In July 2021, the company’s judicial receivership was lifted, and the structure of its board of directors was changed.
Administrative changes were also made to the company. Majda Saqr resigned as CEO and was replaced by Mureed Sakhr al-Atassi.
MTN Syria was also placed under judicial receivership in 2021, and the chairman of TeleInvest Limited was appointed as judicial receiver. The company remains in receivership today. There were subsequent changes to the company’s management structure, with Mohammad Wasim Al-Shatta being made CEO.
The situation in both companies remained unchanged, aside from some modifications to the management structure, until the fall of the regime in December 2024. After that, both companies quickly updated their websites and social media accounts with the new Syrian flag and declared their support for the new regime.
Some months later, the director of MTN Syria resigned and was replaced by his deputy, Mohammad Mazen al-Mahairi, the former judicial administrator of Syriatel and assistant to the minister of communications and technology in 2018.
In Syriatel, however, there were no changes to the administrative structure, headed by Murid Sakhr al-Atassi. He was the IT manager in 2020 before being promoted to his current position.
Under the administrative authority of the CEO is the chief technical officer, whose department includes IT. According to investigations by general intelligence in 2020, this office has links to the communications department of military intelligence.
Syriatel’s board of directors authorizes the CEO to manage the company’s day-to-day affairs and communicate with public and private organizations, according to the company’s commercial registration documents.
Al-Atassi’s name appeared as the general manager for IT in documents compiled during an intelligence investigation into the director of one of Syriatel’s technical departments in 2020. This was in the context of the company’s own internal probe into the cause of a breach of the company’s “external servers” in December 2018.
These investigations by Syriatel’s information security unit and the communications department of military intelligence (Branch 225) did not result at the time in charges being brought against any employees suspected of involvement in the breach. It was one of a series of security breaches that began in 2014, some of which originated in European, Asian, and African countries. The manager who was investigated by Branch 225 in 2020 put these breaches down to “the poor technical state of Syriatel’s information security unit.”
As such, the data of customers of Syria’s largest telecoms company was compromised, once by unidentified hackers from various locations, and again when customer call data was handed to the military intelligence communications department.. This department then supplied other security agencies with information on Syriatel and MTN users. This enabled the regime to maintain its reach even into areas where its actual control had been undermined in the final years of its rule.
“In general, Syrian authorities are obligated to protect the human rights of all Syrians, including the right to privacy. If Syrian telecom companies violate users’ right to privacy, the Syrian government should investigate and hold to account the companies or officials responsible.
And under the UN Guiding Principles on Business and Human Rights, companies have a responsibility to avoid causing or contributing to human rights abuses and to address relevant risks directly linked to their operations and commercial relations.”
Adam Coogle, Deputy Director of the Middle East and North Africa Division at Human Rights Watch
In its response to the investigation, the current Ministry of Communications and Information Technology stated that the current phase in Syria is radically different from the repression under the previous regime. It added that the judicial authorities and relevant investigative bodies are responsible for investigating the allegations attributed to the former regime, and that the new Ministry of Communications and Information Technology is committed to regulating legal access to citizens’ data. Access to this data is granted only with legal authorization and specific, time-bound court orders, and under the supervision of the relevant authorities.
The Ministry did not comment on our questions regarding the continued existence of the administrative and executive structures at both Syriatel and MTN Syria, despite their cooperation with military intelligence in obtaining customer data. It merely stated that the Syrian telecommunications sector is undergoing a transitional phase, during which it is subject to a comprehensive administrative and regulatory review. It added that some legal obstacles are currently being addressed, paving the way for its restructuring in terms of investment, commerce, and services.
Today, Abdul Eid al-Askar from Deir ez-Zor and Rabah Ghabra from Suwayda still have the same mobile numbers that allowed their activities to be exposed under the previous regime. Al-Askar’s privacy was compromised, and because of the surveillance he was under, he was prevented from communicating with his son-in-law abroad. His freedom of communication was restricted to such an extent that he was forced to separate from his wife. “The surveillance utterly destroyed me,” he says. “I even lost my wife.”
Ghabra blamed the telecom companies for what he believed was their decision to side against him and his comrades in the so-called “Suwayda Movement”. “Telecom companies are not neutral,” he said. “If there were a free climate for investment, these companies would be subject to conditions and standards. But instead they come under the regime.”
Muhamed Hassan contributed to this investigation
